i^'9C SigERVEN 
MORRILL 
MACPHERSON 
FRANKLIN 
I ;J &FRIEL1LP 



-U. 

sn 



1 a\ 



Docket No.: M-7998US 



■ c: 



:0 



25 Metro Drive, Suite 700 
San Jose, CA 95 UO 
Phone 408 453-9200 
Fax 408 453-7979 



January 14, 2000 



Box Patent Application 

Assistant Commissioner for Patents 

Washington, D. C. 20231 

Enclosed herewith for filing is a patent application, as follows: 
Inventor(s): 
Title: 



o 



'CO = 

o 



so 



50 



X 
X 
26 
12 
1 

27 
3 
1 
2 
2 

74 



Faisal Haq, Hari Lalgudi 

Implementing Access Control Lists Usiing A Balanced Hash Table Of Access Control List 
Binary Comparison Trees 

Return Receipt Postcard 
This Transmittal Letter (in duplicate) 
page(s) Specification (not including claims) 
page(s) Claims 
page Abstract 
Sheet(s) of Drawings 

page(s) Declaration For Patent Application and Power of Attorney 

page(s) Recordation Form Cover Sheet (in duplicate) 

page(s) Assignment 

page(s) Preliminary Amendment 

page(s) Appendix 

CLAIMS AS FBLED 



Number Number 
For Filed Extra 
Total Claims 51 -20 - 31 


X 


Rate 
$18.00 


Basic Fee 
$ $690.00 
$ 558.00 


Independent 3 -3 = 0 
Claims 


X 


$78.00 


$ 0.00 


□ Application contains one or more multiple $ 
dependent claims ( total fee) 


Please make the following charges to Deposit Accoxmt 19-2386: 




^ Total fee for filing the patent application in the amount of 




$ 1,248.00 



The Commissioner is hereby authorized to charge any additional fees which may be 
required, or credit any overpayment to Deposit Account 19-2386. 

' submit 



EXPRESS MAIL LABEL 
NO: 

EL252928683US 




Attorney for Applicants 
Reg. No. 42,434 



591267 vl 



Austin, TX 
Newport Beach, CA 
San Francisco, CA 



PATENT 



In the United States Patent and Trademark Office 



Applicant: 

Assignee: 

Title: 

Serial No.: 
Examiner: 
Atty. Docket No. 



Haq, Faisal; Lalgudi, Hari K. 
Cisco Technology, Inc. 

IMPLEMENTING ACCESS CONTROL LISTS USING A 
BALANCED HASH TABLE OF ACCESS CONTROL LIST 
BINARY COMPARISON TREES 



Unknown 
Unknown 
M-7998 US 



Filed: Herewith 
Group Art Unit: Unknown 



San Jose, California 
January 14, 2000 

Box Patent Application 

ASSISTANT COMMISSIONER FOR PATENTS 
Washington, D.C. 20231 



PRELIMINARY AMENDMENT 



Dear Sir: 



The following Amendment is submitted for entry into the application filed 
herewith. 



AMENDMENTS 



Please amend the above-referenced application as follows: 



In the Specification 



On page 1, at the end of line 9, please insert thie following: 

A portion of the disclosure (particularly the Appendix) of this patent document contams 
material which is subject to copyright protection. The copyright owner has no objection 
to the facsimile reproduction by anyone of the patent document or the patent disclosure, 
as it appears in the Patent and Trademark Office patent file or records, but otherwise 
reserves all copyright or rights whatsoever. 



PATENT 



REMARKS 



The application has been amended to clarify copyright issues by including the 
form paragraph of 37 C.F.R. 1 .71 appearing in section 608.01(v) of the MPEP. No new 
matter has been added. 

In view of the amendments and remarks set forth herein, the application is 
believed to be in condition for allowance and a notice to that effect is solicited. 
Nonetheless, should any issues remain that might be subject to resolution through a 
telephonic interview, the examiner is requested to telephone the undersigned. 



EXPRESS MAIL NO: 
EL252928683US 




Me R. Cook 
Attorney for Applicants 
Reg. No. 42,434 



Attorney Docket No.: 
M-7998 US 



"Express Mail" mailing label number: 

EL252928683US 



IMPIiEiyiENTING ACCESS CONTROL LISTS USING A BALANCED HASH TABLE OF 
ACCESS CONTROL LIST BINARY COMPARISON TREES 

Faisal Haq 
Har i K . Lalgudi 



REFERENCE TO APPENDIX 

An appendix, which will subsequently be reduced to microfiche, 
accompanies this application. The accompanying appendix is hereby 
incorporated by reference herein in its entirety. 

10 BACKGROUND OF THE INVENTION 

Field of the Invention 

The present invention is related to a method and system to be 
utilized in data communications involving at least one data 
communications network. 

15 Description of the Related Art 

Data communications is the transfer of data from one or more 
sources to one or more sinks that is accomplished (a) via one or more 
data links between the one or more sources and the one or more sinks 
(b) according to a protocol. A data link is the means of connecting 

2 0 communications facilities or equipment at one location to 

communications facilities or equipment at another location for the 
purpose of transmitting and receiving data. A protocol, in 
communications, computer, data processing, and control systems, is a 
set of formal conventions that govern the format and control the 
25 interactions between at least two communicating functional elements 
in order to achieve efficient and understandable communications. 
Examples of protocols are Asynchronous Transfer Mode (ATM) protocol, 
Internet Protocol (IP) , and Transport Control Protocol (TCP) . 

A data communications network is the interconnection of three 

3 0 or more network stations, (each network station functioning as a data 

source and/or sink) over one or more data links, which allows 
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communication between the three or more network stations over the one 
or more data links. A packet -switched datcL communications network is 
a network in which data is transmitted and routed through the network 
in the form of packets. A packet is a sequence of bits that includes 
5 data and control signals, where typically the control signals appear 
in a header part a sequence of bits forming a first part of the 
packet and the data appear in data part a sequence of bits 
forming a second part of the packet. In packet-switched networks, 
data communications network stations (e.g., routers, bridges, 

10 gateways, clients, servers^ etc.) may be implemented by a variety of 
techniques, such as software application programs running on 
interconnected computer systems. Application Specific Integrated 
Circuits (ASICs) , or combinations of software and ASICs implemented 
within interconnected computer systems, {e.g., the Cisco Systems® 

15 Catalyst® family of switches and the Cisco 7xxx family of routers) . 

As noted, a data communications network is the interconnection 
of three or more network stations (each network station functioning 
as a data source and/or sink) over one or more data links. However, 
within the context of packet-switched networks, the convention within 

20 the art is to add to the foregoing definition the additional 

requirement that the defined packet-switched data communications 
network be under the control of a defined network administrator an 
entity (usually a person or group of persons) responsible for and 
having ultimate control over a defined group of network stations. 

25 Following this convention, when a first defined packet-switched 

network is connected to a second defined packet-switched network via 
at least one network station common to both the first defined and 
second defined networks, such a conf igureition is conventionally 
referred to as an "internetwork" a short hand notation for the 

30 phrase ''interconnected network of networks." Note that this 
convention recognizes that two or more networks have been 
interconnected, but also recognizes that the totality of such 
interconnected networks itself forms a network- Thus, while the 
following detailed description describes devices and processes in the 

3 5 context of a network, such detailed description is also equally 
applicable to internetworks . 

As networks, and networks of networks (e.g., the Internet) 
proliferate, increasing attention is being paid to problems involving 
network security (e.g., controlling which network stations can 
40 communicate with each other) . For example, for a commercial lending 
bank having an intranet (a private network belonging to the bank) 
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which has one or more network stations connected to the Internet, it 
is common for the bank's network administrator to want to ensure that 
the only network stations that have access into and out of the bank's 
intranet are clearly defined and closely controlled. In addition, it 
5 is also common for the network administrator to restrict access 

between various network stations of the bank's intranet. One way 
that this is conventionally done is to restrict which packets can 
pass through each network station over which the bank's network 
administrator has control. In this technique, each network station 

10 examines header information of received packets in order to determine 
how to dispose of the packets (e.g., whether to accept, transmit, 
reject, or forward the received packets) . By controlling, on the 
basis of information contained in received packet headers, which 
packets can pass which network stations, the network administrator is 

15 able to control access to various parts of his network on either side 
of each network station. Accordingly, this technique is known in the 
art as packet level access control. 

In the packet-level access control technique, lists of rules 
are used by each network station to determine which received data 

2 0 packets to accept, transmit, forward, or reject. Since these rules 

control access to various portions of a network (or more or more 
internetworks), such rules are conventionally referred to as Access 
Control Rules . The complete set of rules maintained by an individual 
network station is conventionally known cis an Access Control List 
25 (ACL) . 

An ACL is a set of rules for determining how a network station 
should dispose of various received packets . ACL rules are typically 
an ordered list of plain English rules which have been translated 
into the grammar and syntax understood by the network station where 
30 the ACL is to be implemented (e.g,, expressed such that the network 
operating system can interpret and effect the desires expressed in 
the ordered list of plain English rules) . For example, the plain 
English rule of "'Permit TCP packets from any source to host with IP 
address equal to 194.121.68.173 and TCP port number greater than 

3 5 1023" can be expressed in network station understandable grammar and 

syntax as ^^permit TCP any host 194.121.68.173 GT 1023" (expressed 
here for sake of example in a grammar and syntax understandable by a 
network server computer running Cisco Systems' lOS (Internetworking 
Operating System) , but also expressible in other network operating 
40 system or computer operating system formats) . ACLs can become quite 
complex and can grow to thousand upon thousands of rules . 

- 3- 
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When a data packet is received by a network station which 
disposes of received packets on the basis of an ACL, the packet's 
header information must be compared against those ACL rules which 
utilize the information contained within the received packet's header 
5 in order to make access control decisions. In addition, such 

comparisons should be done in the sequential order in which the rules 
appear in the ACL, since the order in which the rules are arranged in 
an ACL typically encodes important control information (e.g., if an 
ACL has a f irst-in-sequence rule that states "'permit packets from 
10 source address Memphis to destination address San Francisco," and a 

second- in-sequence rule that states "deny packets from source address 
Memphis to any destination address," if the order of evaluation is 
reversed, the packet from Memphis to San Francisco will never get 
through the network station) . 

15 For an ACL with a relatively small number of rules, comparing a 

packet's header against the ACL rules causes very little network 
traffic delay. However, as the number of rules in an ACL grows, the 
delay associated with comparing packet headers against the ACL rules 
can be very computationally intensive, and can result in significant 

2 0 network traffic delay above and beyond that associated with smaller 

ACLs . 

While it may seem reasonable that ACLs with a relatively large 
number of rules will result in significant network delay above and 
beyond that associated with ACLs with a relatively smaller number of 
25 rules, those skilled in the art will recognize that network 

administrators prefer that adding rules to ACLs maintained by network 
stations not result in noticeable performance degradation of those 
network stations. 

Techniques exist within the art which provide network stations 

3 0 with the ability to maintain relatively larger ACLs without 

noticeable degradation of performance over relatively smaller ACLs, 
but those techniques are not practicable for many situations. For 
example, some of the most successful techniques have involved a 
faster and more compact method of converting the ACL rule elements 

35 into entries in a content-addressable memory (CAM) , but such 

techniques tend to add overhead to the systems. Furthermore, insofar 
as that the CAM-based techniques involve a radical design departure 
from older-generation systems, the newer CAM-based network stations 
are generally not backwards -compatible with existing network 

40 stations . 

- 4- 
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In many situations, network administrators are dissatisfied 
with the ACL-related performance of their network stations, but such 
network administrators have either concluded that the problems are 
not severe enough to warrant investing in the newer CAM-based network 
5 stations, or such network administrators cannot afford the newer CAM- 
based network stations. In addition, many network station vendors 
have invested significant research and development funds into their 
current-generation network stations, and would prefer to extend the 
life of such current-generation network stations before adopting the 
10 radical redesign needed to move to the newer-generation CAM-based 
network stations. One way of extending the life of such current- 
generation network stations would be to improve the ability of such 
network stations to handle relatively long ACLs . 

It is therefore apparent that a need exists for a method and 
15 system which will provide improved ACL performance for network 

stations in a relatively cost-effective manner {e.g., in a manner not 
requiring the use of expensive CAM-based technology) . In addition, a 
need further exists for a method and technique which is substantially 
backwards -compatible with existing ACL systems, which will thus allow 

2 0 vendors to retro-fit network stations already purchased by customers, 

and also allow vendors to further extend the life of their current- 
generation network stations. 

The foregoing general discussion of the related art can be 
supplemented by reference to the following texts, all of which are 

25 hereby incorporated by reference in their entireties: Merilee Ford, 
et. al . , Internetworking Technologies Handbook , Cisco Press 1997; 
Karanjit S. Siyan, Inside TCP/IP , 3d ed. , New Riders Publishing 1997; 
Internet Firewalls and Network Security , 3d ed. , New Riders 
Publishing 1995; D. Brent Chapman and Elizabeth D. Zwicky, Building 

30 Internet Firewalls , O'Reilly & Associates, 1995; Network Protocols 

Configuration Guide, Cisco IPS® Release 12.0 , Cisco Press, 1998; and 
Network Protocols Command Reference, IPS Release 12.0 , Cisco Press, 
1998 . 

Cisco Systems, Cisco IPS, and Catalyst are registered 

3 5 trademarks of Cisco Systems, Inc. of San Jose, California. 



SUMMARY OF THE INVENTIPN 

The inventors named herein have devised a method and system 
which provide improved ACL performance for network stations (e.g.. 
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routers, bridges, switches, network clients, and network servers) in 
a relatively cost-effective manner (e.g., in a manner not requiring 
the use of expensive CAM-based technology) . The method and system 
devised are substantially backwards -compatible with existing- 
5 generation network stations, and will allow vendors to retro- fit 

network stations already purchased by customers, and further extend 
the life of current generation systems sold by such vendors. 

The devised method and system provide for implementing Access 
Control Lists (ACLs) using a Balanced Hash Table of ACL Binary 

10 Comparison Trees (ABCTs), where the Balanced Hash Table of ABCTs 

encodes the replaced ACL. In one embodiment, the method includes but 
is not limited to receiving at least one packet, and disposing of the 
received at least one packet in response to a walk of a Balanced Hash 
Table of ABCTs, where the Balanced Hash Table of ABCTs encodes an 

15 Access Control List. In another embodiment, the method further 
includes converting the Access Control List to the Balanced Hash 
Table of ABCTs, the Balanced Hash Table of ABCTs encoding the Access 
Control List. In one embodiment, the system includes means for 
receiving at least one packet, and means for disposing of the 

2 0 received at least one packet in response to a walk of a Balanced Hash 

Table of ABCTs, where the Balanced Hash Table of ABCTs encodes an 
Access Control List. In another embodiment, the system further 
includes means for converting the Access Control List to the Balanced 
Hash Table of ABCTs, where the Balanced Hash Table of ABCTs encodes 
25 the Access Control List. 

The foregoing is a summary and thus contains, by necessity, 
simplifications, generalizations, and omissions of detail; 
consequently, those skilled in the art will appreciate that the 
summary is illustrative only and is not intended to be in any way 

3 0 limiting . Other aspects, inventive features, and advantages of the 

present invention, as defined solely by the claims, will become 
apparent in the non-limiting detailed description set forth below. 



BRIEF DESCRIPTION OF THE DRAWINGS 

The present invention may be better understood, and its 
3 5 numerous objects, features, and advantages made apparent to those 
skilled in the art by referencing the accompanying drawings. 

Figure lA depicts a high level logic flowchart depicting a 
process by which a Balanced Hash Table of ACL Binary Comparison Trees 
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is constructed and thereafter utilized wichin a Per-Packet Processing 
Engine of a network station (exemplary of any one of many network 
stations well-known in the art, and which may include, among other 
things, all or part of the following: a processor, router, bridge, 
5 switch, gateway, network server, or network client) . 

Figure IB depicts a pictorial representation of an example of 
network station 15 0 

Figure 2 illustrates a high-level logic flowchart depicting the 
ACL Hash-Table-Balancing Bit Selection Vector Production Process . 

10 Figures 3A and 3B show a high-level logic flowchart 

illustrating the "heuristic balancing process" referred to in method 
step 208. 

Figure 4 depicts a high-level logic flowchart illustrating the 
ACL-to-Balanced Hash Table of ACL Binary Comparison Tree Conversion 
15 Process. 

Figure 5 illustrates a process by which a binary comparison 
tree may be constructed for a Rule Under Consideration, such as was 
referenced in relation to method step 410. 

Figure 6 illustrates a process by which the binary comparison 
2 0 tree constructed for the Rule Under Consideration may be added to a 
hash table. 

Figures 7A-7D12 show an example of the creation of a Hash- 
Table-Balancing Bit Selection Vector, and the subsequent creation of 
a Balanced Hash Table of ABCTs . 

2 5 The use of the same reference symbols in different drawings 

indicates similar or identical items. 



DETAILED DESCRIPTION 

With reference to the figures and in particular with reference 
now to Figure lA, depicted is a high-level logic flowchart depicting 

3 0 a process by which a Balanced Hash Table of ACL Binary Comparison 
Trees is constructed and thereafter utilized by a per-packet 
processing engine within network station 150 (where network station 
150 is exemplary of any one of many network stations well-known in 
the art, and which may include, among other things, all or part of 

3 5 the following: a processor, router, bridge, switch, gateway, network 
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server, or network client) . Method step 100 illustrates the start of 
the process. Method step 102 shows obtaining a complete, ordered, 
ACL utilized within network station 150. Those having ordinary skill 
in the art will recognize that such an ACL is typically entered by a 
human network administrator via a graphical user interface of an 
application program resident upon a network server computer, such 
network server computer typically having software and/ or hardware 
sufficient to allow it to function as a network router, gateway, 
and/ or bridge. 

Method step 104 shows an ACL Hash-Table-Balancing Bit Selection 
Vector Production Process (discussed in more detail via flowcharts 
and a specific example, below) receiving the complete, ordered set of 
ACL Rules. Method step 106 depicts that the ACL Hash-Table-Balancing 
Bit Selection Vector Production Process outputs and passes to the 
next method step definitions of certain bit positions within one or 
more packet header fields utilized by the rules in the ACL, such 
definitions contained as pointers within what is hereinafter referred 
to as a "Hash-Table-Balancing Bit Selection Vector" which will be 
utilized (1) to construct a hash table having a relatively balanced 
set of entries of ACL binary comparison trees (as used herein 
^'balanced" means that the trees are distributed roughly evenly both 
in depth and across the entries of the entire hash table) , where such 
constructed hash table will encode the ACL (a process explained in 
more detail via flowcharts and a specific example, below) and, (2) to 
thereafter construct hash table index values used to ''key into" the 
constructed Balanced Hash Table of ACL Binary Comparison Trees once 
the Balanced Hash Table of ACL Binary Comparison Trees has been 
successfully deployed in per-packet processing engine 152. 

Method step 108 shows that an ACL-to-Balanced Hash Table of ACL 
Binary Comparison Tree Conversion Process (discussed in more detail 
below by way of a flowchart and a specific example) , receives the 
Hash-Table-Balancing Bit Selection Vector specified by the ACL Hash- 
Table-Balancing Bit Selection Vector Process and also receives the 
complete, ordered, ACL. Thereafter, method step 108 depicts that the 
ACL-to-Balanced Hash Table of ACL Binary Comparison Tree Conversion 
Process, utilizing the Hash-Table-Balancing Bit Selection Vector and 
the complete, ordered, ACL, creates and outputs what is referred to 
herein as a Balanced Hash Table of ACL Binary Comparison Trees which 
actually encodes the ACL, such Balanced Table of ACL Binary 
Comparison Trees being hereinafter referred to as a Balanced Hash 
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Table of ABCTs {the production of which is discussed in more detail 
below by way of a flowchart and a specific example) . 

Method step 110 depicts that the ACL-to-Ealanced Hash Table of 
ACL Binary Comparison Tree Conversion Process outputs and passes to 
5 the next method step a Balanced Hash Table of ABCTs, which method 
step 152 shows is thereafter accepted by a par-packet processing 
engine resident within and utilized by a network station 15 0 to 
effect the mandates encoded in the ACL rules. 

Event 112 illustrates that subsequent to acceptance of the 
10 Balanced Hash Table of ABCTs by per-packet processing engine 150, 

network station 15 0 receives packets, and the per-packet processing 
engine utilizes the Hash- Table-Balancing Bit Selection Vector to 
create from the header of the received packets a hash table index 
value which is used to ^^key into" the Hashed Table of Balanced ACL 
15 Trees, and thereafter walk the Balanced Hash Table of ABCTs to 
determine the appropriate disposition of the received packet as 
dictated by the complete, ordered, ACL. Event 114 depicts that the 
walk of the Balanced Hash Table of ABCTs results in disposition of 
the received packets, referenced in event 112, in the manner 

2 0 indicated by the ACL. 

With reference now to Figure IB depicted is a pictorial 
representation of an example of network station 150. Depicted is 
network station 150. Shown present and associated with network 
station 150 are computer system unit 122 respectively coupled to 
25 video display device 124, keyboard 126, mouse 127, and router 128. 

Depicted is that router 12 8 is connected with communication lines 13 0 
whereby one or more data packets may enter and exit network station 
150. Network station 150 may be implemented utilizing any suitable 
computer system (e.g., workstations, minicomputers, mainframe 

3 0 computers, or network-application specific computers) and router. 

Those skilled in the art will recognize that various implementations 
of network station 150 can have many different components, such as 
multiprocessors, random-access memory, read-only memory, various bus 
types, disk and tape drives, graphical user interfaces, etc. In 

35 addition, network station 150 is merely exemplary and it is to be 
remembered that network stations referred to herein may be 
implemented by a variety of techniques, including but not limited to 
software application programs running on interconnected computer 
systems. Application Specific Integrated Circuits (ASICs) , or 

40 combinations of software and ASICs implemented within interconnected 
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computer systems, (e.g., the Cisco Systems® Catalyst® family of 
switches and the Cisco 7xxx family of routers) . 

Referring now to Figure 2, illustrated is a high-level logic 
flowchart depicting the ACL Hash-Table-Balancing Bit Selection Vector 
Production Process. Method step 200 shows the start of the process. 
Method step 202 depicts obtaining the complete, ordered, ACL 
{previously referenced in relation to method step 102) utilized 
within network station 150. Method step 203 illustrates identifying 
the packet header fields which are utilized by the ACL Rules in order 
to make access control decisions. Thereafter, method step 204 
depicts scanning each packet header utilized by each ACL rule in the 
complete, ordered, ACL, and constructing an exemplar aggregate bit 
string, where the exemplar aggregate bit string has one field 
corresponding to each packet header field utilized by any ACL Rule in 
the ACL and such that no fields are duplicated within the exemplar 
bit string (that is, even if two different ACL rules utilize the same 
packet header field, only one instance of the packet header field 
will appear in the exemplar, even though two rules use that field) . 

Thereafter, method step 2 06 depicts constructing, by using the 
packet identification criteria (i.e., fields) utilized by each ACL 
rule in the complete, ordered, ACL referenced in method step 2 02, a 
bit string having the same fields as the constructed exemplar 
aggregate bit string referenced in method step 204, where each 
constructed bit string for each rule has as the contents of its (the 
constructed bit string's) fields the contents of the fields utilized 
for each such rule, and "don't care" entries for fields not utilized 
by each such ACL Rule. 

Method step 208 shows obtaining, or alternatively specifying, 
the number of bits (or "bit length") to be utilized in an index of a 
yet-to-be constructed Balanced Hash Table of ABCTs . Thereafter, 
method step 210 depicts utilizing a "heuristic balancing" process 
(discussed in more detail below by way of a flowchart and a specific 
example) to construct a Hash-Table-Balancing Bit Selection Vector 
which has pointers (the number of pointers selected is equal in 
number to the specified bit length of the hash table index) to those 
bit positions utilized by the ACL rules, where the "heuristic 
balancing" process selects those bit positions which both (1) are 
utilized with relative frequency by the ACL Rules and (2) have 
entries within the selected bit positions that are roughly equally 
distributed amongst logical "l"s (ones) and logical "0"s (zeroes); 
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With reference now to Figures 3A and 3B, shown is a high-level 
logic flowchart illustrating the "heuristic balancing process" 
referred to in method step 208. Method step 300 depicts the start of 
the process. Method step 3 02 illustrates obtaining the bit strings, 
referenced in method step 206, constructed for each ACL rule. 

Method step 3 04 shows aligning the bit positions of each 
obtained constructed bit string referenced in method step 302; that 
is, each constructed bit string is aligned such that each field in 
the constructed bit string matches with the appropriate field in 
every other constructed bit string, and thus each bit position within 
each constructed bit string is also so-alLgned — the foregoing is 
possible because each bit string for each rule was constructed 
utilizing the exemplar bit string referenced in method step 204 of 
Figure 2 . 

Method step 3 06 depicts that the leftmost aligned bit position 
within the aligned bit strings is defined to be the "current aligned 
bit position." Thereafter, method step 308 illustrates that, for the 
current aligned bit position (1) a count is made of the number of 
"l"s (logical ones) appearing in that current aligned bit position 
amongst all the bit strings constructed from the ACL Rules in the 
ACL, (2) a count is made of the number of "0"s (logical zeroes) 
appearing in that current aligned bit position amongst all the bit 
strings constructed from the ACL Rules in the ACL, and (3) a count is 
made of the number of "X"s (logical ^^don't care" bits) appearing in 
that current aligned bit position amongst all the bit strings 
constructed from the ACL Rules in the ACL. 

Method step 310 shows that once a count has been made of the 
"l"s, "0"s, and "X"s appearing in the current aligned bit position 
amongst all the bit strings constructed from the ACL Rules in the 
ACL, the count of the '^l"s is summed with the count of the "X"s to 
obtain a ^^Total ^I's + ^X's Count" for the current aligned bit 
position; also shown is that the count of the "0"s is summed with the 
count of the "X"s to obtain a "Total ^O's + ^X's Count" for the 
current aligned bit position. 

Method step 312 depicts an inquiry as to whether the current 
aligned bit position is the last position in the aligned constructed 
bit strings. Method step 314 shows that if the inquiry of method 
step 312 yields a determination that the current aligned bit position 
is NOT the last position in the constructed bit strings, the current 
aligned bit position is redefined as the next -rightwards bit position 
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of the aligned constructed bit strings. Thereafter, the process 
proceeds to method step 3 08 and continues from that point. 

Method step 316 depicts that if the inquiry of method step 312 
yields a determination that the current aligned bit position is the 
last position in the constructed bit strings, a "Larger Total Count" 
row (in one embodiment, 1 x N matrix, where N is equal to the total 
number of bit positions in the exemplar bit string referenced in 
method step 204 above) having one column corresponding to each bit 
position in one of the constructed bit strings (i.e., a column for 
each bit position in the exemplar bit string reference in method step 
204) is created. 

Method step 318 shows that each column entry of the "Larger 
Total Count" row is filled with the LARGER of either the "Total 'I's 
+ ^X's Count" or the "Total 'O's + 'X's Count" for the bit positions 
of the constructed bit strings corresponding to each such column 
entry of the Larger Total Count row. 

Method step 32 0 illustrates that a "'^Smaller Total Count" row 
(in one embodiment, 1 x N matrix, where N is equal to the total of 
bit positions in the exemplar bit string referenced in method step 
2 04 above) having one column corresponding to each bit position in 
one of the constructed bit strings (i.e., a column for each bit 
position in the exemplar bit string reference in method step 204) is 
created. 

Method step 322 shows that each column entry of the "Smaller 
Total Count" row is filled with the SMALLER of either the "Total ^I's 
+ ^X's Count" or the "Total 'O's + 'X's Count" for the bit positions 
of the constructed bit strings corresponding to each such column 
entry of the Smaller Total Count row. 

Method step 323 shows that the number of Unspecified Pointers 
of Hash-Table-Balancing Bit Selection Vector is set equal to the bit 
length of the hash table index specified in method step 208 of Figure 
2 . 

Method step 324 depicts that the one or more coliimns of the 
Larger Total Count row referenced in method step 318 having the 
minimum value within the Larger Total Count row are selected and 
designated as potential, "P, " candidate columns which will be used to 
construct the pointers of the Hash-Table-Balancing Bit Selection 
Vector, which means that the bit positions (of the constructed bit 
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Strings/exemplar bit string) corresponding to the selected columns 
are potential candidates for use as the Hash Table Index. 

Method step 32 6 illustrates an inquiry as to whether the number 
of potential, "P, " candidate columns selected in method step 324 is 
greater than the number of Unspecified Pointers of Hash-Table- 
Balancing Bit Selection Vector. In the event that the inquiry 
illustrated in method step 326 yields a determination that the number 
of potential, "P, " candidate columns selected in method step 324 is 
greater than the number of Unspecified Pointers of Bit Position 
Vector, the process proceeds to method step 32 8 which shows that an 
attempt is made to refine the selection of the potential, ''P, " 
candidate columns referenced in method step 324 by examining the one 
or more columns of the Smaller Total Count row, such examined Smaller 
Total Count row columns being those corresponding to the columns 
currently designated as potential, "P, " candidate columns within the 
Larger Total Count row; further shown is that those examined columns 
within the Smaller Total Count row with the minimum, or smallest, 
entries are redesignated as potential, "R, " candidate columns. 
Thereafter, method step 33 0 shows that an inquiry is made as to 
whether the total number of redesignated potential, ^'R, " candidate 
columns is greater than or equal to the number of Unspecified 
Pointers of the Hash-Table-Balancing Bit Selection Vector. 

In the event that the inquiry of method step 33 0 yields a 
determination that the number of redesignated potential, '"R, " 
candidate columns are greater than or equal to the number of the 
Unspecified Pointers of the Hash-Table-Balancing Bit Selection 
Vector, the process proceeds to method step 332 which depicts that a 
number, equal to the number of Unspecified Pointers of the Hash- 
Table-Balancing Bit Selection Vector, of potential "R" candidate 
columns are designated as actual "K" Hash-Table-Balancing Bit 
Selection Vector Pointer Indication Columns, which means that the bit 
positions corresponding to those "^K" candidate columns are those bit 
positions which will be pointed at by pointers of the Hash-Table- 
Balancing Bit Selection Vector. Thereafter, insofar as that the 
Hash-Table-Balancing Bit Selection Vector has now been completely 
specified, the process proceeds to method step 333 and stops. 

In the event that the inquiry of method step 33 0 yields a 
determination that the number of redesignated potential, ''R, " 
candidate columns are less than the number of Unspecified Pointers of 
the Hash-Table-Balancing Bit Selection Vector, the process proceeds 
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to method step 334 which depicts that the potential ^^P" candidate 
columns are designated as actual "K" Hash-Table-Balancing Bit 
Selection Vector Pointer Indication Columns, which means that the bit 
positions corresponding to those ''K" Hash-Table-Balancing Bit 
Selection Vector Pointer Indication Columns are those bit positions 
which will be pointed at by pointers of the Hash-Table-Balancing Bit 
Selection Vector. Subsequently, method step 33 6 illustrates the 
number of actual ^^K' Hash-Table-Balancing Bit Selection Vector 
Pointer Indication Columns referenced in method step 332 is 
subtracted from the number of Unspecified Pointers of Hash-Table- 
Balancing Bit Selection Vector. 

Method step 33 8 shows the inquiry as to whether the number of 
Unspecified Pointers of the Hash-Table-Balancing Bit Selection Vector 
is greater than zero. If the inquiry depicted in method step 33 8 
results in a determination that the number of Unspecified Pointers of 
the Hash-Table-Balancing Bit Selection Vector is NOT greater than 
zero, the process proceeds to method step 340 and stops. If the 
inquiry depicted in method step 33 8 results in a determination that 
the number of Unspecified Pointers of the Hash-Table-Balancing Bit 
Selection Vector is greater than zero, the process proceeds to method 
step 3 42 which depicts that the columns of ^^Larger Total Count" Row 
and the columns Smaller Total Count" Row which have previously been 
designated as ^^K" Hash-Table-Balancing Bit Selection Vector Pointer 
Indication Columns in any method step, at any iteration through the 
process depicted in Figures 3A and 3B, are marked as "no longer 
selectable" (this ensures that the columns/bit positions subsequently 
designated as ^^K" Hash-Table-Balancing Bit Selection Vector Pointer 
Indication Columns will be bit positions that have not yet been so 
designated) . Thereafter, with Larger Total Count row and Smaller 
Total Count row so adjusted (that is, with the Larger Total Count and 
Smaller Total Count row columns which have ever been designated as 
"K" Hash-Table-Balancing Bit Selection Vector Pointer Indication 
Columns being marked as no longer selectable, or under 

consideration) , the process proceeds to method step 324 and continues 
from that point . 

Notice that the process will loop until the nioinber of 
candidates "K" necessary to completely specify the Pointers of Hash- 
Table-Balancing Bit Selection Vector have been designated. 

In the event that the inquiry illustrated in method step 326 
yields a determination that the number of columns selected in method 
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Step 3 24 is not greater than the number of Unspecified Pointers of 
Bit Position Vector, the process proceeds to method step 334, which 
depicts that the potential, "R. " candidate columns are designated as 
actual "K" Hash-Table-Balancing Bit Selection Vector Pointer 
Indication Columns, which means that the bit positions corresponding 
to those ^^K" Hash-Table-Balancing Bit Selection Vector Pointer 
Indication Columns are those bit positions which will be pointed at 
by pointers of the Hash-Table-Balancing Bit Selection Vector. 
Thereafter, the process proceeds to method step 33 6 and continues 
from that point. 

Referring now to Figure 4, depicted is a high-level logic 
flowchart illustrating the ACL-to-Balanced Hash Table of ACL Binary 
Comparison Tree Conversion Process. Method step 400 shows the start 
of the process. Method step 402 depicts that the complete, ordered, 
ACL referenced within method step 102 is obtained. Method step 404 
illustrates the creation of a hash table having a number of entries 
corresponding to the bit length specified for the hash table index 
(i.e., that specified in method step 208); for example, a 2 bit 
length index would have a hash table with 4 entries, a 3 bit length 
index would have a hash table with 8 entries, a 4 bit index would 
have a hash table with 16 entries, etc. Method step 406 shows that a 
^^Rule Under Consideration" is set to be the first rule in the ACL. 
Method step 408 shows that the bit positions, previously designated 
as "K" Hash-Table-Balancing Bit Selection Vector Pointer Indication 
Columns (i.e.. the bit positions pointed at by the pointers of the 
Hash-Table-Balancing Bit Selection Vector) , in the fields utilized by 
the Rule Under Consideration are examined. Method step 409 depicts 
that that the bit entries in those examined bit positions (i.e., 
those bit positions pointed at by the pointers of the Hash-Table- 
Balancing Bit Selection Vector) are utilized to construct an hash 
table index value, used to ^^key into" the created hash table. Those 
skilled in the art will recognize that there are many ways such could 
be done, but one way would be to utilize the hash table index as part 
of the memory address of the table. 

Method step 410 shows that once the appropriate row entry of 
the hash table has been keyed to using the hash table index value for 
the Rule Under Consideration, the fields utilized by the Rule Under 
Consideration are examined in a left-to-right fashion, and a binary 
comparison tree is constructed for the Rule Under Consideration 
(construction of a binary comparison tree is illustrated via a 
flowcharts and a specific example, below) . Thereafter, method step 
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412 {discussed in more detail via flowcharts and a specific example, 
below) shows that the constructed binary comparison tree for the Rule 
Under Consideration is appended to the hash table entry associated 
with the hash table index equal to the hash table index value 
constructed for the Rule Under Consideration. With respect to the 
constructed hash table index value, if one of the bit positions of 
the constructed hash table index value contains an "X" value, then 
the tree for the Rule Under Consideration will be appended in the 
hash table both where such bit position index equals "1" and ^^0"; for 
example, if an index turned out to be IIX, the binary comparison tree 
for the Rule Under Consideration would be appended to the hash table 
index values 111 and 110. 

Method step 414 depicts the inquiry as to whether the end of 
the complete, ordered, ACL referenced within method step 102 has been 
reached. If the inquiry depicted in method step 414 yields a 
determination that the end of the complete, ordered, ACL has NOT been 
reached, method step 416 shows that the Rule Under Consideration is 
set to be the next ACL rule in sequence within the complete, ordered, 
ACL. Thereafter, the process proceeds to method step 406 and 
continues from that point. 

If the inquiry depicted in method step 414 yields a 
determination that the end of the complete, ordered, ACL has been 
reached, method step 418 depicts that the resultant hash table with 
the appended binary trees is designated as a Balanced Hash Table of 
ABCTs. Thereafter, the process proceeds to method step 420 and 
stops . 

With reference now to Figure 5, illustrated is a process by 
which a binary comparison tree may be constructed for a Rule Under 
Consideration, such as was referenced in relation to method step 410. 
The following method steps refer to inserting compare nodes in a 
binary comparison tree. It is to be understood that when a node is 
so inserted, the insertion is such that the miss branch of the 
inserted node will point to "DEFAULT DENY" and the match branch of 
the inserted node will point to a place-holder for the next node to 
be inserted, unless the insertion is related to the insertion of a 
''stop" node (a ''stop" node does not have a miss or match branch but 
instead contains the ultimate dispensation of the rule, such as 
"PERMIT, " "DENY, " "FORWARD, " etc. } . 

Method step 500 shows the start of the process. Method step 
502 depicts the inquiry as to whether the Rule Under Consideration 
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makes a decision based upon the protocol field of received packet 
headers. In the event that the inquiry depicted in relation to 
method step 502 yields a determination that a decision is NOT made 
based upon the protocol field of received packet headers, the process 
proceeds to method step 506 and continues from that point. In the 
event that the inqiiiry depicted in relation to method step 502 yields 
a determination that a decision is made based upon the protocol field 
of received packet headers, the process proceeds to method step 504 
wherein is depicted the operation of inserting a protocol compare 
node, having separate miss and match branches consistent with the 
protocol field of the Rule Under Consideration, into a binary 
comparison tree (notice that this is the first insertion of a compare 
node into the binary compare tree) . Thereafter, the process proceeds 
to method step 506 wherein is depicted the inquiry as to whether the 
Rule Under Consideration makes a decision based upon the source 
address field of received packet headers . 

In the event that the inquiry depicted in relation to method 
step 506 yields a determination that a decision is NOT made based 
upon the source field of received packet headers, the process 
proceeds to method step 510 and continues from that point. In event 
that the inquiry depicted in method step 506 yields a determination 
that the Rule Under Consideration does make a decision based upon the 
source address field of received packet headers, the process proceeds 
to method step 508 wherein is depicted that a source address compare 
node, having separate miss and match branches consistent with the 
source address field of the Rule Under Consideration, is appended to 
the preceding compare node. Thereafter, the process proceeds to 
method step 510 wherein is depicted the inquiry as to whether the 
Rule Under Consideration makes decisions based upon the source port 
field of received packet headers. 

In the event that the inquiry depicted in relation to method 
step 510 yields a determination that a decision is NOT made based 
upon the source port field of received packet headers, the process 
proceeds to method step 514 and continues from that point. In event 
that the inquiry depicted in method step 510 yields a determination 
that the Rule Under Consideration does make a decision based upon the 
source port field of received packet headers, the process proceeds to 
method step 512 wherein is depicted that a source port compare node, 
having separate miss and match branches consistent with the source 
port field of the Rule Under Consideration, is appended to the 
preceding compare node. Thereafter, the process proceeds to method 
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Step 514 wherein is depicted the inquiry as to whether the Rule Under 
Consideration makes decisions based upon the destination address 
field of received packet headers . In the event that the inquiry 
depicted in relation to method step 514 yields a determination that a 
5 decision is NOT made based upon the destination address field of 

received packet headers, the process proceeds to method step 518 and 
proceeds from that point. In event that the inquiry depicted in 
method step 514 yields a determination thcit the Rule Under 
Consideration does make a decision based upon the destination address 

10 field of received packet headers, the process proceeds to method step 
516 wherein is depicted that a destination address compare node, 
having separate miss and match branches consistent with the 
destination address field of the Rule Under Consideration, is 
appended to the preceding compare node. Thereafter, the process 

15 proceeds to method step 518 wherein is depicted the inquiry as to 

whether the Rule Under Consideration makes decisions based upon the 
destination port field of received packet headers. In the event that 
the inquiry depicted in relation to method step 518 yields a 
determination that a decision is NOT made based upon the destination 

2 0 port field of received packet headers, the process proceeds to method 
step 519, which shows the insertion of a stop node having miss and 
match branches consistent with final dispensation of Rule Under 
Consideration. Thereafter, the process proceeds to method step 522 
and stops. In event that the inquiry depicted in method step 518 

2 5 yields a determination that the Rule Under Consideration does make a 

decision based upon the destination port field of received packet 
headers, the process proceeds to method step 520 wherein is depicted 
that a destination port compare node, having separate miss and match 
branches consistent with the destination port field of the Rule Under 

3 0 Consideration, is appended to the preceding compare node. 

Thereafter, the process proceeds to method step 521, which shows the 
insertion of a stop node having miss and match branches consistent 
with final dispensation of Rule Under Consideration. Thereafter, the 
process proceeds to method step 522 and stops . 

3 5 For sake of simplicity the process described in relation to 

Figure 5 makes reference only to source address, source port, 
destination address, destination port, and protocol identification 
fields. However, it is to be understood and will be appreciated by 
those having skill in the art that many other such fields exist 

40 (e.g., IP Quality of Service, TCP Flag fields) which can be utilized 
to construct binary comparison trees in a fashion substantially 
analogous to that demonstrated in Figure 5 . The present discussion 
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refers to logical nodes having miss and match branches ; in one 
embodiment such nodes having miss and match branches are implemented 
as an instruction word to a packet processor containing a compare 
opcode and operand. Accordingly, Figure 5, as all figures herein, is 
intended to be exemplary and not limiting. 

Referring now to Figure 6, illustrated is the process, 
referenced in method step 412, by which the binary comparison tree 
constructed for the Rule Under Consideration may be added to a hash 
table. Method step 600 shows the start of the process. Method step 
602 depicts the inquiry as to whether there is a pre-existing binary 
comparison tree at the hash table index equal to the hash table index 
value created for the ACL Rule Under Consideration. If the inquiry of 
method step 602 yields a determination that there is NOT a binary 
comparison tree at the hash table index equal to the hash-table-index 
value index created for the ACL Rule Under Consideration, method step 
604 illustrates that the binary comparison tree is appended in its 
entirety at the hash table entry associated with the hash table 
index, with the leftmost node of the binary comparison tree serving 
as root of the tree. Thereafter, the process proceeds to method step 
6 06 and stops. 

If the inquiry depicted in method step 602 yields a 
determination that there is a binary comparison tree at the hash 
index equal to the hash table index value created for the ACL Rule 
Under Consideration, illustrated is that the process proceeds to 
method step 608 wherein is shown that New Compare Node Pointer is set 
to point to the leftmost node of the binary comparison tree for the 
Rule Under Consideration (e.g., TCP if the Rule Under Consideration 
is assumed to be the rule constructed for the second rule in the 
example set forth in Figures 7A-7D12, below) and New Compare Node 
Field Type is set equal to the type of field utilized by the node 
pointed to by the New Compare Node Pointer (e.g., type of field is 
^'protocol id." if the Rule Under Consideration is assumed to be the 
second rule in the example set forth in Figures 7A-7D12, below) . 
Thereafter, shown in method step 610 is that Old Compare Node Pointer 
is set to the leftmost node (or root) of the pre-existing binary 
comparison tree already present at the hash index (e.g., TCP if it is 
assumed that the pre-existing binary comparison tree is the tree for 
the first rule constructed, and thereafter appended at index 0000, in 
the example set forth in Figures 7A-7D12, below) and that Old Compare 
Node Field Type is set equal to the type of field utilized by the 
node pointed at by the Old Compare Node Pointer (e.g., type of field 
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is ^^protocol id." if it is assumed that the Pre-Existing binary 
comparison tree is the tree for the first rule constructed, and 
thereafter appended at index 0 000, in the example set forth in 
Figures 7A-7D12, below). 

Thereafter, the process proceeds to method step 612 wherein is 
depicted the inquiry as to whether New Compare Node Field Type is the 
same as Old Compare Node Field Type (continuing with the example 
involving the first rule and second rule, below, both would be of 
type ^^protocol id."). If the inquiry depicted in method step 612 
yields a determination that New Compare Node Field Type is the same 
as Old Compare Node Field Type, then the process proceeds to method 
step 614, wherein is shown the inquiry as to whether the value of the 
field utilized by the node pointed at by the New Compare Node Pointer 
is a subset (the term subset here means a further subdivision of an 
overall network concept associated with the field; for example, 
^^source port > 50" would be considered a "subset" of "source port > 
2 0") of the value of the field utilized by the node pointed at by the 
Old Compare Node Pointer. If the inquiry shown in method step 614 
yields a determination that the value of the field utilized by the 
node pointed at by the New Compare Node Pointer is a subset of value 
of the field utilized by the node pointed at by the Old Compare Node 
Pointer, then the process proceeds to method step 616, wherein is 
depicted that a Next New Node Pointer is set to point to the node at 
the end of the match branch of the node pointed to by the New Compare 
Node Pointer (i.e., the next node on the match branch of the binary 
comparison tree for the Rule Under Consideration) . Thereafter, 
method step 618 illustrates that New Compare Node Pointer is reset to 
be equal to the Next New Node Pointer . 

Thereafter, the process proceeds to method step 620, wherein is 
depicted that Next Old Node Pointer is set to point to the node at 
the end of the match branch the node pointed to by the Old Compare 
Node Pointer (i.e., the next node on the match branch of the binary 
comparison tree for the Pre-Existing tree at hash table index) . 
Thereafter, method step 622 illustrates that Old Compare Node Pointer 
is reset to be equal to the Next Old Node Pointer. Thereafter, the 
process proceeds to method step 612 and proceeds from that point. 

If the inquiry shown in method step 614 yields a determination 
that the value of the field utilized by the node pointed at by the 
New Compare Node Pointer is NOT a subset of value of the field 
utilized by the node pointed at by the Old Compare Node Pointer, then 

- 20- 

583792 vl 



Attorney Docket No. : 
M-7998 US 



the process proceeds to method step 624 which shows the inqiiiry as to 
whether the value of the node on the miss branch of the node pointed 
to by Old Compare Node Pointer is a stop node (e.g.. no further nodes 
extend from the node on the miss branch) . If the inquiry shown in 
method step 624 yields a determination that the value of the field 
utilized by node on the miss branch of the node pointed to by Old 
Compare Node Pointer equates to a "stop node, " method step 62 6 shows 
that the node on the miss branch of node pointed to by Old Compare 
Node Pointer is replaced with the node pointed at by New Compare Node 
Pointer (i,e., the New Compare Node Value is appended onto the Pre- 
Existing Binary Compare Tree) . Thereafter, method step 628 depicts 
that a Default Deny Node Value is appended to the miss branch of the 
node just appended to the pre-existing hash table tree {i.e., the 
node pointed to by the New Compare Node pointer) as was discussed in 
relation to method step 626. Subsequently, the process proceeds to 
method step 63 0 and stops. 

If the inquiry shown in method step 624 yields a determination 
that the value of the field utilized by node on the miss branch of 
the node pointed to by Old Compare Node Pointer DOES NOT equate to a 
^^stop node," method step 632 shows that Next Old Node Pointer is set 
to point to the node at the end of the miss branch of node pointed to 
by the Old Compare Node Pointer (i.e., the next node on the match 
branch of the binary comparison tree for the Pre-Existing tree at 
hash table index) . Thereafter, method step 634 illustrates that Old 
Compare Node Value is reset to be the value of the Next Old Node 
Pointer. Thereafter, the process proceeds to 624 and proceeds from 
that point. 

If the inquiry depicted in method step 612 yields a 
determination that New Compare Node Field Type is NOT the same as Old 
Compare Node Field Type, then the process proceeds to method step 
636, which shows that a New Stored Node Pointer is set to be equal to 
the New Compare Node Pointer. Thereafter, method step 63 8 depicts 
that Old Stored Node Pointer is set to be equal to Old Compare Node 
Pointer. Thereafter, method step 640 illustrates the inquiry as to 
whether the value of the node on the miss branch of the node pointed 
to by Old Compare Node equates to a "stop node." If the inquiry 
illustrated in method step 64 0 yields a determination that the value 
of the node on the miss branch of the node pointed to by Old Compare 
Node equates to a "stop node," the process proceeds to method step 
642 which shows the addition of a tree residual, starting from the 
node of the binary comparison tree for the Rule Under Consideration, 
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pointed at by New Compare Node Pointer, at the end of the miss branch 
of the Old Compare Node, which is a node in the Hash Table Tree; that 
is, the node having a value equating to a stop node is replaced with 
the remainder of the binary tree for the Rule Under Consideration, 
5 where the first replacement node utilized is that node pointed at by 
the New Compare Node Pointer . 

Thereafter, the process proceeds to method step 644 which 
depicts that Next Old Node Pointer is set to point to the node at the 
end of the match branch of Old Stored Node (we are doing this because 

10 if the field type does not match, part of the binary comparison tree 
created for the Rule Under Consideration must be appended to both the 
miss and match branch of the pre-existing hash table tree since the 
ACL Rule(s) encoded by the pre-existing hash table tree do not 
utilize the field type which is utilized by the binary tree 

15 constructed for the current Rule Under Consideration) . Thereafter, 

method step 646 illustrates that Old Compare Node Pointer is reset to 
equal the Next Old Node Pointer, Thereafter, method step 648 depicts 
the inquiry as to whether the value of the node pointed at by Old 
Compare Node Pointer equates to a ''stop value" (e.g., default deny, 

2 0 transmit packet, deny packet, etc.) . In the event that the inquiry 

illustrated by method step 648 yields a determination that the value 
of the node pointed at by Old Compare Node Pointer equates to a stop 
value, the process proceeds to method step 64 9 wherein is illustrated 
the addition of a tree residual, starting Erom the node of the binary 
25 comparison tree for the Rule Under Consideration, pointed at by New 
Compare Node Pointer, at the end of the macch branch of the Old 
Compare Node, which is a node in the Hash Table Tree; that is, the 
node having a value equating to a stop node is replaced with the 
remainder of the binary tree for the Rule Under Consideration, where 

3 0 the first replacement node utilized is that node pointed at by the 

New Compare Node Pointer. Thereafter, the process proceeds to method 
step 630 and stops. In the event that the inquiry illustrated by 
method step 64 8 yields a determination that the value of the node 
pointed at by Old Compare Node Pointer does NOT equate to a stop 

3 5 value, the process proceeds to method step 652 wherein is depicted 

that the New Compare Node Pointer is set to point to the node pointed 
at by the New Stored Node Pointer — the reason that this pointer is 
not advanced at this method step is that now the process is going to 
append at least part of the binary Rule Under Consideration to the 

4 0 match branch of the pre-existing tree where the field types did not 

match. Thereafter, the process proceeds to method step 612 and 
continues from that point . 
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If the inquiry illustrated in method step 640 yields a 
determination that the node on the miss branch of the node pointed to 
by the Old Compare Node Pointer does NOT equate to a stop node, the 
process proceeds to method step 654 which shows that Next Old Node 
Pointer is set to point to the node at the end of the miss branch of 
the node pointed to by the Old Compare Node Pointer (i.e., the next 
node on the match branch of the binary comparison tree for the Pre- 
Existing tree at hash table index) . Thereafter, method step 656 
illustrates that the Old Compare Node Poincer is reset to equal the 
Next Old Node Pointer. Thereafter, the process proceeds to method 
step 640 and continues from that point. 

With reference now to Figures 7A-7D12, shown is an example of 
the creation of a Hash-Table-Balancing Bit Selection Vector, and the 
subsequent creation of Balanced Hash Table of ABCTs such as were 
referred to in the flowcharts above. Figure 7A depicts an obtained 
hypothetical complete, ordered, ACL (e.g., the ACL referenced in 
Figures 1-6, above) . The right-hand column of Figure 7A contains 
examples of the coded versions of ACL Rules which are typically 
utilized within an ACL. The left-hand column gives a plain English 
explanation of what the rules in the corresponding right hand columns 
mean . 

Referring now to Figure 7B, depicted is an example of the 
creation of an exemplar bit string (e.g., such as described in 
relation to method step 204, above) based upon the fields utilized by 
the ACL rules illustrated in the right hand coluinn of Figure 7A, and 
the subsequent use of the exemplar bit string to construct bit 
strings for each ACL Rule in the ACL illustrated in the right-hand 
column of Figure 7A (e.g., such as described in relation to method 
step 206, above) . Also shown is that, for sake of illustration and 
ease of counting, the term ^^bit positions" — as used in the examples 
of Figures 7B-7D12 — will include the "periods" shown in the 
constructed bit strings of Figure 7B, although those skilled in art 
will recognize that in practice such periods are not typically 
counted as bit positions. To reinforce this convention, illustrated 
immediately below the created bit strings of Figure 7B is an 
illustration of the ""bit position" within each constructed bit 
string, as that term is subsequently used in the following Figures 
7C-7D12 . 

Referring now to Figure 7C1-7C5, illustrated is an example of 
the creation of a Hash-Table-Balancing Bit Selection Vector (e.g., 
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such as that referenced in Figures 3A and 3B, above) . The right-hand 
columns of Figures 7C1-7C5 depict the actual use and manipulation of 
quantities utilized and described in relation to Figures 3A and 3B 
above, while the left-hand columns corresponding with (i.e., in the 
same row as) the right-hand columns describe, in words, what is 
transpiring in the right-hand column. The example ends with 
specification of the Hash-Table-Balancing Bit Selection Vector. 

With reference now to Figures 7D1-7D12, shown is an example of 
the creation of a Balanced Hash Table of ABCTs , such as was 
referenced in relation to Figure lA. Figure 7D1 depicts the creation 
(e.g., such as that described in relation to Figure 5, above) of a 
Binary Comparison Rule for the f irst-in-sequence rule within the ACL 
depicted in Figure 7A. Figures 7D1-7D2 illustrate the addition of the 
binary comparison tree created for the f irst-in-sequence rule to a 
hash table at the index position dictated by the Hash- Table-Balancing 
Bit Selection Vector. 

Figure 7D3 depicts the creation (e.g., such as that described 
in relation to Figure 5, above) of a Binary Comparison Rule for the 
second- in- sequence rule within the ACL depicted in Figure 7A. Figures 
7D3-7D4 illustrate the addition of the binary comparison tree created 
for the second- in-sequence rule to a hash table at the index position 
dictated by the Hash-Table-Balancing Bit Selection Vector. 

Figure 7D5 depicts the creation (e.g., such as that described 
in relation to Figure 5, above) of a Binary Comparison Rule for the 
third- in-sequence rule within the ACL depicted in Figure 7A. Figures 
705-706 illustrate the addition of the binary comparison tree created 
for the third-in-sequence rule to a hash table at the index position 
dictated by the Hash-Table-Balancing Bit Selection Vector. 

Figure 7D7 depicts the creation (e.g., such as that described 
in relation to Figure 5, above) of a Binary Comparison Rule for the 
fourth-in-sequence rule within the ACL depicted in Figure 7A. Figures 
7D7-7D8 illustrate the addition of the binary comparison tree created 
for the fourth-in-sequence rule to a hash table at the index position 
dictated by the Hash-Table-Balancing Bit Selection Vector. 

Figure 7D9 depicts the creation (e.g., such as that described 
in relation to Figure 5, above) of a Binary Comparison Rule for the 
f ifth-in-sequence rule within the ACL depicted in Figure 7A. Figures 
7D9-7D10 illustrate the addition of the binary comparison tree 
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created for the f i f th- in-sequence rule to a hash table at the index 
position dictated by the Hash-Table-Balancing Bit Selection Vector. 

Figure 7D11 depicts the creation {e.g., such as that described 
in relation to Figure 5, above) of a Binary Comparison Rule for the 
sixth-in-sequence rule within the ACL depicted in Figure 7A. Figures 
7D11~7D12 illustrate the addition of the binary comparison tree 
created for the sixth-in-sequence rule to a hash table at the index 
position dictated by the Hash-Table-Balancing Bit Selection Vector. 

The foregoing detailed description has set forth various 
embodiments of the present invention via the use of block diagrams, 
flowcharts, and examples. It will be understood as notorious by 
those within the art that each block diagram component, flowchart 
step, and operations and/or components illustrated by the use of 
examples can be implemented, individually and/or collectively, by a 
wide range of hardware, software, firmware, or any combination 
thereof. In one embodiment, the present invention may be implemented 
via Application Specific Integrated Circuits (ASICs) . However, those 
skilled in the art will recognize that the embodiments disclosed 
herein, in whole or in part, can be equivalent ly implemented in 
standard Integrated Circuits, as a computer program running on a 
computer, as firmware, or as virtually any combination thereof and 
that designing the circuitry and/or writing the code for the software 
or firmware would be well within the skill of one of ordinary skill 
in the art in light of this disclosure. In addition, those skilled in 
the art will appreciate that the mechanisms of the present invention 
are capable of being distributed as a program product in a variety of 
forms, and that an illustrative embodiment of the present invention 
applies equally regardless of the particular type of signal bearing 
media used to actually carry out the distribution. Examples of a 
signal bearing media include but are not limited to the following: 
recordable type media such as floppy disks, hard disk drives, CD 
ROMs, digital tape, and transmission type media such as digital and 
analogue communication links using TDM or IP based communication 
links (e.g., packet links). 

A more-preferred embodiment is set forth in the body of the 
present patent application. As noted above, the more-preferred 
embodiment may be implemented by virtually any combination of 
hardware, software, and/or firmware. A less-preferred embodiment is 
set forth in the accompanying appendix. The hardware and software 
aspects of this less-preferred embodiment are merely exemplary, and 
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those skilled in the art will recognize that the less-preferred 
embodiment can itself be implemented by virtually any combination of 
hardware, software, and/or firmware. The less-preferred embodiment 
is in no way intended to limit or apply to the more-preferred 
embodiment . 

The above description is intended to be illustrative of the 
invention and should not be taken to be limiting. Other embodiments 
within the scope of the present invention are possible. Those 
skilled in the art will readily implement the steps necessary to 
provide the structures and the methods disclosed herein, and will 
understand that the process parameters and sequence of steps are 
given by way of example only and can be varied to achieve the desired 
structure as well as modifications that are within the scope of the 
invention. Variations and modifications of the embodiments disclosed 
herein may be made based on the description set forth herein, without 
departing from the spirit and scope of the invention as set forth in 
the following claims. 

Other embodiments are within the following claims. 

While particular embodiments of the present invention have been 
shown and described, it will be obvious to those skilled in the art 
that, based upon the teachings herein, changes and modifications may 
be made without departing from this invention and its broader aspects 
and, therefore, the appended claims are to encompass within their 
scope all such changes and modifications as are within the true 
spirit and scope of this invention. Furthermore, it is to be 
understood that the invention is solely defined by the appended 
claims. It will be understood by those within the art that if a 
specific number of an introduced claim element is intended, such an 
intent will be explicitly recited in the claim, and in the absence of 
such recitation no such limitation is present. For non-limiting 
example, as an aid to understanding, the following appended claims 
may contain usage of the introductory phrases "at least one" and ^^one 
or more" to introduce claim elements. However, the use of such 
phrases should not be construed to imply that the introduction of a 
claim element by the indefinite articles ^^a" or ^^an" limits any 
particular claim containing such introduced claim element to 
inventions containing only one such element, even when same claim 
includes the introductory phrases ^^one or more" or ^^at least one" and 
indefinite articles such as ^^a" or "an"; the same holds true for the 
use of definite articles used to introduce claim elements. 
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CLAIMS 



1 1. A method comprising: 

2 receiving at least one packet; and 

3 disposing of the received at least one packet in response to a 

4 walk of a Balanced Hash Table of Access Control List 

5 Binary Comparison Trees, the Table encoding an Access 

6 Control List. 

1 2, The method of Claim 1, wherein said disposing of the 

2 received at least one packet in response to a walk of a Balanced Hash 

3 Table of Access Control List Binary Comparison Trees, the Table 

4 encoding an Access Control List further includes: 

5 constructing a hash table index value from one or more bit 

6 positions, within the received at least one packet, 

7 pointed at by one or more pointers of a Hash-Table- 

8 Balancing Bit Selection Vector; and 

9 walking a binary comparison tree associated with the 
10 constructed hash table index value. 

1 3. The method of Claim 1, further comprising: 

2 converting the Access Control List to the Balanced Hash Table 

3 of Access Control List Binary Comparison Trees, the Table 

4 encoding the Access Control List. 

1 4. The method of Claim 3, wherein said converting the Access 

2 Control List to the Balanced Hash Table of Access Control List Binary 

3 Comparison Trees, the Table encoding the Access Control List further 

4 includes: 

5 creating a binary comparison tree for at least one Access 

6 Control List rule in the Access Control List. 

1 5. The method of Claim 4, wherein said creating a binary 

2 comparison tree for at least one Access Control List rule further 

3 includes: 

4 creating at least one node, having at least one miss branch and 

5 at least one match branch, for at least one packet header 

6 field utilized by the at least one Access Control List 

7 Rule in the Access Control List. 
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1 6. The method of Claim 3, wherein said converting the Access 

2 Control List to the Balanced Hash Table of Access Control List Binary 

3 Comparison Trees, the Table encoding the Access Control List further 

4 includes: 

5 inserting at least a part of a binary comparison tree 

6 constructed for at least one Access Control List rule 

7 into a hash table entry pointed at by a hash table index - 

1 7. The method of Claim 6, wherein said inserting at least a 

2 part of a binary comparison tree constructed for at least one Access 

3 Control List rule into a hash table entry pointed at by a hash table 

4 index further includes : 

5 generating a hash table index value for the at least one Access 
5 Control List rule; and 

7 inserting the at least a part of a binary comparison tree 

8 constructed for at least one Access Control List rule 

9 into a hash table entry pointed at by a hash table index 
10 which is equal to the generated hash table index value. 

1 8 . The method of Claim 7 , wherein said inserting the at 

2 least a part of a binary comparison tree constructed for at least one 

3 Access Control List rule into a hash table; entry pointed at by a hash 

4 table index which is equal to the generated hash table index value 

5 further includes: 

6 inserting, in its entirety, the binary comparison tree 

7 constructed for the at least one Access Control List rule 

8 into the hash table entry pointed at by the hash table 

9 index in response to a determination that no pre-existing 

10 binary comparison tree is resident within the hash table 

11 entry. 

1 9. The method of Claim 7, wherein said inserting the at 

2 least a part of a binary comparison tree constructed for at least one 

3 Access Control List rule into a hash table entry pointed at by a hash 

4 table index which is equal to the generated hash table index value 

5 further includes: 

6 inserting at least one node of the binary comparison tree 

7 constructed for the at least one Access Control List rule 

8 into the hash table entry pointed at by the hash table 

9 index in response to a determination that a pre-existing 

10 binary comparison tree is resident within the hash table 

11 entry. 
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1 10. The method of Claim 7, wherein said generating a hash 

2 table index value for the at least one Access Control List rule 

3 further includes: 

4 constructing the hash table index value from the contents of 

5 one or more packet headers utilized by the at least one 

6 Access Control List rule in the Access Control List. 

1 11. The method of Claim 10, wherein said constructing the 

2 hash table index value from the contents of one or more packet 

3 headers utilized by the at least one Access Control List rule in the 

4 Access Control List further includes: 

5 constructing the hash table index value from the contents of 

6 the one or more packet header bit positions pointed at by 

7 one or more pointers of a Hash-Table-Balancing Bit 
S Selection Vector. 

1 12. The method of Claim 11, wherein said constructing the 

2 hash table index value from the contents of the one or more packet 

3 header bit positions pointed at by one or more pointers of a Hash- 

4 Table-Balancing Bit Selection Vector further includes: 

5 constructing the Hash-Table-Balancing Bit Selection Vector. 

1 13. The method of Claim 12, wherein said constructing the 

2 Hash-Table-Balancing Bit Selection Vector further includes: 

3 defining one or more pointers of the Hash-Table-Balancing Bit 

4 Selection Vector to point to one or more bit positions in 

5 one or more packet header fields utilized by one or more 

6 rules of the Access Control List. 

1 14. The method of Claim 13, wherein said defining one or more 

2 pointers of the Hash-Table-Balancing Bit Selection Vector to point to 

3 one or more bit positions in one or more packet header fields 

4 utilized by one or more rules of the Access Control List further 

5 includes: 

6 defining the one or more pointers of the Hash-Table-Balancing 

7 Bit Selection Vector to point to one or more bit 

8 positions, which appear relatively most frequently, 

9 within the one or more packet header fields utilized by 
10 the one or more Rules of the Access Control List. 
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1 15. The method of Claim 13, wherein said defining one or more 

2 pointers of the Hash-Table-Balancing Bit Selection Vector to point to 

3 one or more bit positions in one or more packet header fields 

4 utilized by one or more rules of the Access Control List further 

5 includes: 

6 defining the one or more pointers of the Hash-Table-Balancing 

7 Bit Selection Vector to point to one or more bit 

8 positions, whose contents have relatively equal variation 

9 between logical one and logical zero, within the one or 

10 more packet header fields utilized by the one or more 

11 Rules of the Access Control List. 
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1 16. A system comprising: 

2 means for receiving at least one packet; and 

3 means for disposing of the received cit least one packet in 

4 response to a walk of a Balanced Hash Table of Access 

5 Control List Binary Comparison Trees, the Table encoding 

6 an Access Control List. 

1 17. The system of Claim 16, wherein said means for disposing 

2 of the received at least one packet in response to a walk of a 

3 Balanced Hash Table of Access Control List Binary Comparison Trees, 

4 the Table encoding an Access Control List further includes: 

5 means for constructing a hash table index value from one or 

6 more bit positions, within the received at least one 

7 packet, pointed at by one or more pointers of a Hash- 

8 Table-Balancing Bit Selection Vector; and 

9 means for walking a binary comparison tree associated with the 
10 constructed hash table index value. 

1 18, The system of Claim 16, further comprising: 

2 means for converting the Access Control List to the Balanced 

3 Hash Table of Access Control List Binary Comparison 

4 Trees, the Table encoding the Access Control List. 

1 19. The system of Claim 18, wherein said means for converting 

2 the Access Control List to the Balanced Hash Table of Access Control 

3 List Binary Comparison Trees, the Table encoding the Access Control 

4 List further includes : 

5 means for creating a binary comparison tree for at least one 

6 Access Control List rule in the Access Control List. 

1 20. The system of Claim 19, wherein said means for creating a 

2 binary comparison tree for at least one Access Control List rule 

3 further includes : 

4 means for creating at least one node, having at least one miss 

5 branch and at least one match branch, for at least one 

6 packet header field utilized by the at least one Access 

7 Control List rule in the Access Control List. 
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1 21. The system of Claim 18, wherein said means for converting 

2 the Access Control List to the Balanced Hash Table of Access Control 

3 List Binary Comparison Trees, the Table encoding the Access Control 

4 List further includes: 

5 means for inserting at least a part of a binary comparison tree 

6 constructed for at least one Access Control List rule 

7 into a hash table entry pointed at by a hash table index, 

1 22. The system of Claim 21, wherein said means for inserting 

2 at least a part of a binary comparison tree constructed for at least 

3 one Access Control List rule into a hash table entry pointed at by a 

4 hash table index further includes: 

5 means for generating a hash table index value for the at least 

6 one Access Control List rule; and 

7 means for inserting the at least a part of a binary comparison 

8 tree constructed for at least one Access Control List 

9 rule into a hash table entry pointed at by a hash table 

10 index which is equal to the generated hash table index 

11 value. 

1 23. The system of Claim 22, wherein said means for inserting 

2 the at least a part of a binary comparison tree constructed for at 

3 least one Access Control List rule into a hash table entry pointed at 

4 by a hash table index which is equal to the generated hash table 

5 index value further includes: 

6 means for inserting, in its entirety r the binary comparison 

7 tree constructed for the at least one Access Control List 

8 Rule into the hash table entry pointed at by the hash 

9 table index in response to a determination that no pre- 

10 existing binary comparison tree is resident within the 

11 hash table entry. 

1 24. The system of Claim 22, wherein said means for inserting 

2 the at least a part of a binary comparison tree constructed for at 

3 least one Access Control List rule into a hash table entry pointed at 

4 by a hash table index which is equal to the generated hash table 

5 index value further includes : 

6 means for inserting at least one node of the binary comparison 

7 tree constructed for the at least one Access Control List 

8 rule into the hash table entry pointed at by the hash 

9 table index in response to a determination that a pre- 
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1Q existing binary comparison tree is resident within the 

11 hash table entry. 

1 25. The system of Claim 22, wherein said means for generating 

2 a hash table index value for the at least one Access Control List 

3 rule further includes : 

4 means for constructing the hash table index value from the 

5 contents of one or more packet headers utilized by the at 

6 least one Access Control List rule in the Access Control 

7 List. 

1 26. The system of Claim 25, wherein said means for 

2 constructing the hash table index value from the contents of one or 

3 more packet headers utilized by the at least one Access Control List 

4 rule in the Access Control List further includes: 

5 means for constructing the hash table index value from the 

6 contents of the one or more packet header bit positions 

7 pointed at by one or more pointers of a Hash-Table- 

8 Balancing Bit Selection Vector. 

1 27. The system of Claim 26, wherein said means for 

2 constructing the hash table index value from the contents of the one 

3 or more packet header bit positions pointed at by one or more 

4 pointers of a Hash-Table-Balancing Bit Selection Vector further 

5 includes : 

6 means for constructing the Hash-Table-Balancing Bit Selection 

7 Vector . 

1 28. The system of Claim 27, wherein said means for 

2 constructing the Hash-Table-Balancing Bit Selection Vector further 

3 includes: 

4 means for defining one or more pointers of the Hash-Table- 

5 Balancing Bit Selection Vector to point to one or more 

6 bit positions in one or more packet header fields 

7 utilized by one or more rules of the Access Control List. 

1 29. The system of Claim 28, wherein said means for defining 

2 one or more pointers of the Hash-Table-Balancing Bit Selection Vector 

3 to point to one or more bit positions in one or more packet header 

4 fields utilized by one or more rules of the Access Control List 

5 further includes: 
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6 means for defining the one or more pointers of the Hash-Table- 

7 Balancing Bit Selection Vector to point to one or more 

8 bit positions, which appear relatively most frequently, 

9 within the one or more packet header fields utilized by 
10 the one or more Rules of the Access Control List. 

1 30. The system of Claim 29, wherein said means for defining 

2 one or more pointers of the Hash-Table-Balancing Bit Selection Vector 

3 to point to one or more bit positions in one or more packet header 

4 fields utilized by one or more rules of the Access Control List 

5 further includes: 

6 means for defining the one or more pointers of the Hash-Table- 

7 Balancing Bit Selection Vector to point to one or more 

8 bit positions, whose contents have relatively equal 

9 variation between logical one and logical zero, within 

10 the one or more packet header fields utilized by the one 

11 or more Rules of the Access Control List. 

1 31, The system of Claim 16, further comprising: 

2 signal bearing media bearing 

3 said means for receiving at least one packet, and 

4 said means for disposing of the received at least one 

5 packet in response to a walk of a Balanced Hash 

6 Table of Access Control List Binary Comparison 

7 Trees, the Table encoding an Access Control List. 

1 32. The system of Claim 31, wherein said signal bearing media 

2 further includes: 

3 recordable media. 

1 33. The system of Claim 31, wherein said signal bearing media 

2 further includes : 

3 transmission media. 

1 34. The system of Claim 16, wherein the system further 

2 includes : 

3 a network station. 
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1 3 5. A program product comprising: 

2 signal bearing media bearing 

3 means for receiving at least one packet, and 

4 means for disposing of the received at least one packet 

5 in response to a walk of a Balanced Hash Table of 

6 Access Control List Binary Comparison Trees, the 

7 Table encoding an Access Control List, 

1 36. The program product of Claim 35, wherein said signal 

2 bearing media further includes : 

3 recordable media. 

1 37. The program product of Claim 35, wherein said signal 

2 bearing media further includes : 

3 transmission media, 

1 38. The program product of Claim 35, wherein said means for 

2 disposing of the received at least one packet in response to a walk 

3 of a Balanced Hash Table of Access Control List Binary Comparison 

4 Trees, the Table encoding an Access Control List further includes: 

5 means for constructing a hash table index value from one or 

6 more bit positions, within the received at least one 

7 packet, pointed at by one or more pointers of a Hash- 

8 Table -Balancing Bit Selection Vector; and 

9 means for walking a binary comparison tree associated with the 
10 constructed hash table index value. 

1 39. The program product of Claim 35, further comprising: 

2 means for converting the Access Control List to the Balanced 

3 Hash Table of Access Control List Binary Comparison 

4 Trees, the Table encoding the Access Control List. 

1 40. The program product of Claim 39, wherein said means for 

2 converting the Access Control List to the Balanced Hash Table of 

3 Access Control List Binary Comparison Trees, the Table encoding the 

4 Access Control List further includes: 

5 means for creating a binary comparison tree for at least one 

6 Access Control List rule in the Access Control List. 
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1 41. The program product of Claim 40, wherein said means for 

2 creating a binary comparison tree for at least one Access Control 

3 List rule further includes: 

4 means for creating at least one node, having at least one miss 

5 branch and at least one match branch, for at least one 

6 packet header field utilized by the at least one Access 

7 Control List rule in the Access Control List. 

1 42. The program product of Claim 39, wherein said means for 

2 converting the Access Control List to the Balanced Hash Table of 

3 Access Control List Binary Comparison Trees, the Table encoding the 

4 Access Control List further includes: 

5 means for inserting at least a part of a binary comparison tree 

6 constructed for at least one Access Control List rule 

7 into a hash table entry pointed at by a hash table index. 

1 43. The program product of Claim 42, wherein said means for 

2 inserting at least a part of a binary comparison tree constructed for 

3 at least one Access Control List rule into a hash table entry pointed 

4 at by a hash table index further includes: 

5 means for generating a hash table index value for the at least 

6 one Access Control List rule; and 

7 means for inserting the at least a part of a binary comparison 

8 tree constructed for at least one Access Control List 

9 rule into a hash table entry pointed at by a hash table 
XO index which is equal to the generated hash table index 
11 value. 

1 44. The program product of Claim 43, wherein said means for 

2 inserting the at least a part of a binary comparison tree constructed 

3 for at least one Access Control List rule into a hash table entry 

4 pointed at by a hash table index which is equal to the generated hash 

5 table index value further includes: 

6 means for inserting, in its entirety, the binary comparison 

7 tree constructed for the at least one Access Control List 

8 Rule into the hash table entry pointed at by the hash 

9 table index in response to a determination that no pre- 

10 existing binary comparison tree is resident within the 

11 hash table entry. 
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1 45. The program product of Claim 43, wherein said means for 

2 inserting the at least a part of a binary comparison tree constructed 

3 for at least one Access Control List rule into a hash table entry 

4 pointed at by a hash table index which is equal to the generated hash 

5 table index value further includes: 

6 means for inserting at least one node of the binary comparison 

7 tree constructed for the at least one Access Control List 

8 rule into the hash table entry pointed at by the hash 

9 table index in response to a determination that a pre- 

10 existing binary comparison tree is resident within the 

11 hash table entry. 

1 46- The program product of Claim 43, wherein said means for 

2 generating a hash table index value for the at least one Access 

3 Control List rule further includes: 

4 means for constructing the hash table index value from the 

5 contents of one or more packet headers utilized by the at 

6 least one Access Control List rule in the Access Control 

7 List. 

1 47- The program product of Claim 46. wherein said means for 

2 constructing the hash table index value from the contents of one or 

3 more packet headers utilized by the at least one Access Control List 

4 rule in the Access Control List further includes: 

5 means for constructing the hash table index value from the 

6 contents of the one or more packet header bit positions 

7 pointed at by one or more pointers of a Hash-Table- 

8 Balancing Bit Selection Vector. 

1 48- The program product of Claim 47, wherein said means for 

2 constructing the hash table index value from the contents of the one 

3 or more packet header bit positions pointed at by one or more 

4 pointers of a Hash-Table-Balancing Bit Selection Vector further 

5 includes: 

6 means for constructing the Hash-Table-Balancing Bit Selection 

7 Vector. 

1 49. The program product of Claim 48, wherein said means for 

2 constructing the Hash-Table-Balancing Bit Selection Vector further 

3 includes: 
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4 means for defining one or more pointers of the Hash-Table- 

5 Balancing Bit Selection Vector to point to one or more 

6 bit positions in one or more packet header fields 

7 utilized by one or more rules of the Access Control List. 

1 50. The program product of Claim 49, wherein said means for 

2 defining one or more pointers of the Hash-Table-Balancing Bit 

3 Selection Vector to point to one or more bit positions in one or more 

4 packet header fields utilized by one or more rules of the Access 

5 Control List further includes: 

6 means for defining the one or more pointers of the Hash-Table- 

7 Balancing Bit Selection Vector to point to one or more 

8 bit positions, which appear relatively most frequently, 

9 within the one or more packet header fields utilized by 
10 the one or more Rules of the Access Control List. 

1 51. The program product of Claim 50, wherein said means for 

2 defining one or more pointers of the Hash-Table-Balancing Bit 

3 Selection Vector to point to one or more bit positions in one or more 

4 packet header fields utilized by one or more rules of the Access 

5 Control List further includes: 

6 means for defining the one or more pointers of the Hash-Table- 

7 Balancing Bit Selection Vector to point to one or more 

8 bit positions, whose contents have relatively equal 

9 variation between logical one and logical zero, within 

10 the one or more packet header fields utilized by the one 

11 or more Rules of the Access Control List. 
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IMPLEMENTING ACCESS CONTROL LISTS USING A BALANCED HASH TABLE OF 
ACCESS CONTROL LIST BINARY COMPARISON TREES 

Faisal Haq 
Hari K. Lalgudi 



ABSTRACT OF THE DISCLOSURE 

A method and system for implementing Access Control Lists 
(ACLs) using a Balanced Hash Table of ACL Binary Comparison Trees 
(ABCTs), where the Balanced Hash Table of ABCTs encodes the replaced 

10 ACL. In one embodiment, the method includes but is not limited to 

receiving at least one packet, and disposing of the received at least 
one packet in response to a walk of a Balanced Hash Table of ABCTs, 
where the Balanced Hash Table of ABCTs encodes an Access Control 
List. In another embodiment, the method further includes converting 

15 the Access Control List to the Balanced Hash Table of ABCTs, the 

Balanced Hash Table of ABCTs encoding the Access Control List. In 
one embodiment, the system includes means for receiving at least one 
packet, and means for disposing of the received at least one packet 
in response to a walk of a Balanced Hash Table of ABCTs, where the 

2 0 Balanced Hash Table of ABCTs encodes an Access Control List. In 

another embodiment, the system further includes means for converting 
the Access Control List to the Balanced Hash Table of ABCTs, where 
the Balanced Hash Table of ABCTs encodes the Access Control List. 
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utilized to "key into" a yet-to-be- 
constructed Balanced Hash Table of 
ABCTs 



z 



Using a heuristic balancing process, select a 
number of bit positions within the bit strings, 

constructed for and associated with each ACL 
rule, such that the number of bits selected is 
equal to the number of bits in the hash table 
index and such that the bit positions selected 
are those positions in which the bits utilized by 
the ACL rules appear relatively most frequently 
and which have mostly equal variation between 
zeros and ones; Set Hash-Table-Balancing Bit 
Selection Vector to Point to the Selected Bit 
Positions 



FIG. 



^ STOP — 2* 1*3^ 



start ^ r*- 



A 



OJbtaln Each 
Bit String 
Constructed 
For Each ACL 
Rule In The 
ACL 



Align Each Obtained Constructed 

Bit String With Every Other 
Constructed Bit String Such That 
Like Fields, And Bits Contained 
Within Those Like Fields, of Each 
Constructed Bit String Align With 
Each Other 



30^ 



Set Current Aligned 
Bit Position To Be 
The Leftmost Bit 
Position Of The 
Aligned Constructed 
Bit Strings 



50S 



Count 


And 


Record 


The 


Number 


Of 




In 


The 


Current 


Aligned 


Bit 


Position 


Count 


And 


Record 


The 


Number 


Of 


'^I'S 


In 


The 


Current 


Aligned 


Bit 


Position 


Count 


And 


Record 


The 


Number 


Of 


"X"S 


In 


The 


Current 


Aligned 


Bit 


Position 



For The Current Aligned Bit Position, Calculate 
And Record 

Total Count Of «1"S + "X'S (= Count Of "I'S + 

Count Of "X-S) and 
Total Count Of "O'S + "X''S (= Count Of "O^S + 
Count Of '^X^S) 




Reset Current Aligned 
Bit Position To Be The 
Next Rightwards Bit 
Position 



P3 



Set "Number of Unspecified Pointers 

of the Hash-Table-Balancing Bit 
Selection Vector" Equal to Specified 
Bit Length of Hash Table Index 



Construct A "Larger Total Count" Row, Where 
The Larger Total Count Row Has One Column For 

Each Bit Position Corresponding To The Bit 
Positions Of The Exemplar Bit String (or the 
Bit Positions of Each Constrxicted Bit String 
Built on the Basis of the Exemplar Bit String) 



Fill Each Column Of The Larger Total Count Row 
With The Larger Of Either The Total Count Of '^O'S 
+ ^X'S Or The Total Count Of "l-'S + '*X''S For The 
Bit Position Corresponding To Each Such Column Of 
The Larger Total Count Row 
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Construct A "Smaller Total Count" Row, Where The 
Smaller Total Count Row Has One Column For Each 
Bit Position Corresponding To The Bit Positions 
Of The Exemplar Bit String (or the Bit Positions 
of Each Constructed Bit String Built on the Basis 
of the Exemplar Bit String) 



Fill Each Column Of The Smaller Total Count Row 
with The Smaller Of Either The Total Count Of 
*0-S + "X'S Or The Total Count Of «1-'S + "X'S 
For The Bit Position Corresponding To Each Such 
Co liJmn Of The Smaller Tohaj Count Row 



Select The One Or More Columns Of The Larger 
Total Count Row Having The Smallest Or Minimum 

Value Entries, And Designate Those Columns 
Having The Smallest Or Minimum Value Entries As 
Potential, "P, " candidate columns 




Attempt To Refine The Selection By Examining The One Or 
More Columns Of The Smaller Total Count Row. Such Examined 
Smaller Total Count Row Columns Being Those Corresponding 

To The Columns Currently Designated As Potential, "P, " 
Candidate Columns Within The Larger Total Count Row, And 
Redesignate as Potential, *R, " candidate columns To Be 
Those Examined Columns Within The Smaller Total Count Row 
With The Minimum, Or Smallest, Entries 



i 

33g 



CID 



FIG. 3A 




apecity A NuirUDer, Kquax To Tne Number ot UnspecLtied Pointers ofc 
the Hash-Table-Balancing Bit Selection Vector, Of Potential, '^R," 
Coluitms As Actual, "K, * Hash-Table-Balancing Bit Selection Vector 

Pointer Indication Columns, Whose Columns' Corresponding Bit 
Positions In The Respective Fields Prom which The Respective Bit 
Strings Were Constructed Will Thereafter Be Pointed at by Pointers 
o£ ^■he Hf^ sh-Table-RRlaT^cina Bit- .gel Pr-h-i on Vpcj-or- 



33 



stop 



333 



Specify All Potential, '^P'^ or "R, - Columns As Actual, "K, " Hash- 
Table-Balancing Bit Selection Vector Pointer Indication Columns, 
Whose Col;amns' Corresponding Bit Positions In The Respective 
Fields From Which The Respective Bit Strings Were Constructed Will 
Thereafter Be Pointed at by Pointers of the Hash-Table -Balancing 
Bit Selection Vector 



Subtract Number of Actual, "K, ' Hash-Table-Balancing Bit Selection 
Vector Pointer Indication Columns Just Specified From "Number of 
Unspecified Pointers of the Hash-Table-Balancing Bit Selection 

Vector" 



FIG. 3B 





Mark Columns Of Larger Total Count Row And Mark Columns Of Smaller 
Total Count Row Which Have Been Specified, At Any Point In The 
Process, As Actual '^K' Hash-Table-Balancing Bit Selection Vector 
Pointer Indication Columns As *No Longer Select able /No Longer 
Under Consideration 



^ Start ^ 1^ 





Obtain 


1 — ^ 


Complete, 




Ordered, ACL 



1 



Create Hash Table Having 
Number Of Entries 
Corresponding To The 
Specified Bit Length Of The 
hash Table Index 




Using Hash-Table-Balancing Bit Selection 
Vector, Examine Bit Positions Of The Packet 

Header Fields Utilized By The Rule Under 
Consideration Which Are Pointed At by Hash- 
Table-Balancing Bit Selection Vector 



5 



Use The Bit Values Contained Within The 
Examined Bit Positions Of The Fields 
Utilized By The Rule Under Consideration, 
Construct a Hash Table Index Value To "Key 
Into" A Row Of The Created hash table 



For The Rule Under Consideration, Examine From Left To Right The 
Fields Utilized By The Rule Under Consideration, Construct A Binary 
comparison tree Entry For Each Such Field Utilized 



'%0 



At The Hash Table Entry Which Was "Keyed Into" Utilizing The Hash 
Table Index Value Constructed for the Rule Under Consideration, 
Append The Binary Comparison Tree Constructed for the Rule Under 
Consideration 




Set Rule Under 
Consideration 
To Be The Next ACL Rule 
Sequentially Appearing 
In The ACL 



FIG. 4 



Designate Constructed 
Table to be a Balanced 
Hash Table of ;^CTs 



Stop ^^J^ ^ 



?-0 



$00 




Insert Protocol Compare Node 
Having Miss and Match 
Branches Consistent With 
Protocol Field of Rule Under 
Consideration 




Yes 



Insert Source Address Compare 
Node Having Miss and Match 
Branches Consistent With 
Source Address Field of Rule 
Under Consideration 




New Compare Node Pointer ts set to point to the lettmost noae 
of the binary comparison tree for the rule under consideration; 
New Compare Node Field Type is set equal to the type of field 
utilized by the node pointed to by the New Compare Node 
Pointer 



start ^- (^0O 



Old Compare Node Pointer is set to the lenmost noae tor rooij or 
the pre-existing binary comparison tree already present at the hash 
index; Old Compare Node Field Type is set equal to the type of 
field utilized by the node pointed at by the Old Compare Node 
Pointer 



Binary comparison tree is 
appended in its entirety at the 
hash table entry associated with 
the hash table index, with the 
leftmost node of Binary 
comparison tree serving as root of 
ttie tree 




New Stored Node Pointer is set to be 
equal to the New Compare Node 
Pointer 



Old Stored Node Pointer is set to be 
equal to Old Compare Node Pointer 




Next New Node Pointer is set to point to the node at 
the end of the match branch of the node pointeti to 
by the New Compare Node Pointer (i.e., the next 
node on the match branch of the binary comparison 
tree for the njle under consideration) 



New Compare Node Pointer is reset to be equal to 
the Next New Node Pointer 



Next Old Node Pointer Is set to point to the node at the 
end of the match branch the node pointed to by the Old 
Compare Node Pointer 



-Yes- 



Next Old Node Pointer is set to point to the 
node at the end of the miss branch of the 
node pointed to by the Old Compare Node 
Pointer 



^^^ ^^ 



Next Old Node Pointer is set to 
point to the node at the end of 

the miss branch of node 
pointed to by the Old Compare 
Node Pointer {i.e., the next 
node on the match branch of 
the binary comparison tree for 
the Pre-Existing tree at hash 
tdble index) 



Old Compare Node 
Pointer is reset to be 
equal to the Next Old 
Node Pointer 



C 



Next Old Node Pointer is set to point 
to the node at the end of the 
MATCH branch of Old STORED 
Node (we are doing this because if 
the field type does not match, part of 
the binary comparison tree created 
for the rule under consideration must 
be appended to both the miss and 
match branch of the pre-existing 
hash table tree since the ACL 
Rule(s) encoded by the pre-existing 
hash table tree do not utilize the field 
type which is utilized by the binary 
tree constmcted for the current rule 
under consideration) 



Add tree residual, starting from the node of the binary 

comparison tree for the rule under consideration, 
pointed at by New Compare Node Pointer, at the end 
of the miss branch of the Old Compare Node, w^lich is 
a node in the Hash Table Tree; that is. the node 
having a value equating to a stop node is replaced 
with the remainder of the binary tree for the rule under 
consideration, where the first replacement node is that 
node pointed at by the New Compare Node Pointer 



1 



Yes 



Old Compare Node Value is 
reset to be the value of the 
Next Old Node Pointer 



Ibl 



Old Compare Node Pointer is reset 
equal the Next Old Node Pointer 



The New Compare Node Pointer is set to point to the 
node pointed at by the New Stored Node Pointer - the 
reason that this pointer is not advanced at this method 

step is that now the process is going to append at 
least part of the binary rule under consideration to the 
match branch of the pre-existing tree where the field 
types did not match 



Fig. 6 




The node on the miss branch of node pointed to 
by Old Compare Node Pointer Is replaced with 
the node pointed at by New Compare Node 
Pointer (i.e., the New Compare Node Value is 
appended onto the Pre-Existing Binary 
comparison tree) 



I 



Default Deny Node Value is appended to the 
miss branch of the node just appended to the 

pre-existing hash table tree (i.e., the node 
pointed to by the New Compare Node pointer) 

as was discussed in preceding mettiod step 



T 



I 



^ stop ^ 



Add tree residual, starting from the node of the binary 

comparison tree for the rule under consideration, 
pointed at by New Compare Node Pointer, at the end 
of the match branch of the Old Compare Node, which 
is a node in the Hash Table Tree; that is, the node 
having a value equatir^ to a stop node is replaced 
with the remainder of the binary tree for the mle under 
consideration, where the first replacement node is that 
node pointed at by the New Compare Node Pointer 
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□ was filed on as Application Serial No. 

□ and was amended on (if applicable). 
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37, Code of Federal Regulations, § 1.56. 

I hereby claim foreign priority benefits under Title 35, United States Code, § I19(a)-(d) of any 
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below and, insofar as the subject matter of each of the claims of this application is not disclosed in the 
prior application(s) in the manner provided by the first paragraph of Title 35, United States Code, § 
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Title 37, Code of Federal Regulations, § L56, which became available between the filing date of the 
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Definitions 

This section defines words, acronyms, and actions which may not be readily understood. 

SALSA4 ASIC on the GSR TTM48 Linecards that support ACL lookup in hardware 

Refer to ENG-3591 8 for complete description. In this document Salsa by default will refer 
to Salsa4 only. 

ACL Access control lists used for packet classification and filtering. Each ACL has number of 

items, each specifying permit/deny action for packets matching the source, destination 

Ex- ACL Extended ACL, which matches more fields in IP header than standard ACL (source IP 

address). Fields include Destination IP address, source and destination TCP/UDP ports, 
protocol type. 

TTM48 Time to Market OC48 engine and line cards built on this Engine(also refered as TTM) 
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GE Gigabit Ethernet GSR linecard with TTM48 engine and Salsa4 ASIC (unless otherwise 

specified) 

FE 8 port Fast Ethernet GSR linecard with TTM48 engine and Salsa4 ASIC (unless otherwise 

specified) 

S-ACL ACL lookup done by Salsa4 

FIB, CEF Forwarding Information Base or Cisco Express Forwarding, which is an mtrie used for 

lookup(based on destination IP address) to forward packets 

CAR Committed Access Rate. It is an lOS feature that may use ACLs to match packets and 

verify conform/exceed rate limits and perform actions such as permitting, dropping or 
marking the packet. 
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1.0 Problem Definition 

TTM48 linecards without Salsa4 ACL hardware support, do extended ACL lookup in software. This CPU intensive 
operation results in a performance degradation from linerate (650 Kpps) without ACLs to 32Kpps with 512 ACL 
items. With Turbo or compiled ACLs in software, performance drop is from 650Kpps to a constant 270 Kpps 
(independant of the number of ACL items). 

TTM ACL hardware solution needs to (a) presetve the order of items and checks in ACLs (b) provide full filtering or 
classification functionality(e.g. source and destination IP address, TO'S, TCP/UDP port ranges) currently supported 
in software (c) higher performance than Turbo ACLs (270Kpps) for 1 0-1000 ACL items.. 

Salsa4(ENG-31 157) solution is a hardware engine that traverses a hashed linked list of nodes(figure below), that is 
equivalent to the extended ACL, to permit or deny the packet. Each node(64 bits) is an instruction to Salsa4 to 
compare one or more fields(source/destination IP address, TCPAJDP port) in the incoming packet against an ACL 
parameter, and find the next match or miss nodes. The last(Stop) node specifies permit/deny value and more 
information for software to execute any other actions(e.g. ACL accounting, ACL logging or TCP flags checks). 
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HASH TABLE 



Salsa4 ACL support is only for input ACLs, since Salsa4 does not do ACL lookup after FIB lookup is done when 
output adjacency/port areidentified. Also, Salsa4 does not support subinterface ACL, since subinterface identification 
(e.g. based on VLAN) is difficult in the given hardware. 

2.0 Design Considerations 

S-ACL(Salsa4 ACL) software tasks are: 

1. Parse lOS ACL configuration to create the hash table and list of nodes. 

2. Switching path code to process S-ACL node information(e.g. permit/deny, ACL logging, check TCP flags) 

3. Handle error conditions(e.g. maximum number of nodes read) and continue software lookup on the ACL hash list 
in selected cases. 

4. Provide user configurations to enable S-ACLs and to do performance tuning by weighting selection of hash bits. 

2.1 Requirements/Constraints on parsing lOS ACL to Hash Table and Nodes 

S-ACL nodes should preserve order of ACL item checks. S-ACL performance crucially depends on the 
average number of nodes Salsa4 processes before coming to the Stop node. This depends on 
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(a) the bits selected for hashing 

(b) the parsing algorithm for creating nodes from ACLs. 

(c) traffic pattern to different Stop nodes. 

2.2 Constraints on Switching Code for S-ACL support 

1. There should be no performance impact on GSR linecards that do not use Salsa4 ASIC. 

1. TTM48 linecards can achieve 650Kpps by offloading FIB lookup in Salsa and the software saving cycles by 
not caching and invalidating packet headers in the L2 cache. To achieve performance better than 
270Kpps(Turbo-ACLs), software should only cache/invalidate packet headers in L2 cache only (a) if Salsa4 
does not find a valid(permit/deny) Stop node or (b) need to apply other features(input CAR/accounting). 

2.3 S-ACL vs Turbo-ACL 

Although Turbo- ACL gives 270Kpps on GSR LC with input ACLs irrespective of the number of ACLs, , the 
performance drop from 650 Kpps for TTM48 LCs is significant. S-ACL performance is dependant on the 
number of ACL items (which determines number of ACL nodes). We do not provide automatic selection of 
Turbo- ACL or S-ACLs. Here are the guidelines for the user for manual selection via configuration:. 

(a) For output ACLs, use Turbo- ACLs 

(b) For input ACLs where number of input items leads to performance < 270Kpps, use Turbo- ACLs, otherwise 
use S-ACLs. 

2.4 Separation of hardware dependant and hardware independant modules 

S-ACL hash tables and trees should be made hardware independant so that pure software lookups without 
hardware assist is possible This is useful for (a) linecards without Salsa4 and (b) ACL lookup for packet 
classification purposes other than filtering (e.g. ACL based CAR) 

2.5 Memory requirements for S-ACL 

The Match/Miss address in each ACL node is derived from the "node base"(10b) and match/miss "offset"(8b). 
The algorithm to create ACL nodes needs to make sure that the "node base" is the same for the match and miss 
nodes. We guarantee this by allocating 2^18 nodes for each S-ACL node memory. 

Thus the memory requirements for S-ACL on 8 port FE LC is (8 * 2^18 * 8B) = 8MB 
3.0 Functional Structure 

The S-ACL software is separated into Salsa4 specific module and hardware independant ACL Hash Table module. 

The Salsa4 module sets up Salsa4 registers to enable/disable ACL lookup, setup hash table addresses, select hash 
tables based on multi ported linecards (e.g. FE), and to keep history of errors during S-ACL lookup. 

The ACL Hash Table module however needs parameters from the hairdware dependant module to allocate memory 
that is consistent with hardware requirements (e.g. 8B aligned or hash table next to node memory map) 

The current scheme of sending ACL config is sent from RP to LC via FIB IPC messages is unchanged. While parsing 
interface ACL config on LC, if S-ACL interface is affected, then we do the following: 

(1) disable Salsa4 from using S-ACL hash tables, 

(2) clear the current S-ACL hash table and node memory map. 

(3) recalculate hash key and insert hash nodes for each ACL item. For multiported linecards(FE) since there is only 
one hash key for all hash tables, this impUes recalculating hash key based on all FE interface S-ACL configurations 
and inserting ACL nodes for all FE interface ACL items. 
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4,0 Packet Flow 

We need to add support for S-ACL in the software switching code without affecting performance of existing 
linecards that do not use Salsa4. Switching vectors introduced by Netflow on GSR(12.0(6)S) allows us to add new 
features in the switching path without incurring the runtime performance. Currently, there are 4 switching vectors for 
TTM path: no flow/no feature, flow/no feature, no flow/feature, flow and feature (feature refers to FTB/CEF features 
such as input/output ACLs or CAR or accounting). 

S-ACL support makes this 8 switching vectors: no S-ACLVno flow/no feature, no S-ACL/flow/no feature, no S-ACL/ 
no flow/feature, no S -ACL/flow/feature, S-ACL/no flow/no feature, S-ACL/flow/no feature, S-ACL/no flow/feature, 
S-ACL/flow/feature. We select S-ACL switching vectors if we find Salsa-4 version (Salsa L3 Asic Id Register >- 4). 

In S-ACL switching vectors, if Salsa4 gets a valid FIB leaf, we read the S-ACL registers (while still working in L2 
uncached mode for accessing bhdr and IP ptrs). If there are no S-ACL errors (S-ACL status register), and no other 
feature checks (e.g. input/output CAR/accounting) need to be done, we switch the packet in uncached mode. Else, we 
cache the packet, check other features, switch the packet and invalidate the L2 cache (and incurring the performance 
penalty of dropping to 300-400Kpps). 

If S-ACL is successful, we need to disable input ACL checks in the FTB feature path. This is done by setting the 
platform specific FIB control block parameter to skip input ACL checks. 

5.0 Salsa4 error handling 

Salsa4 may report the following types of errors in S-ACL processing: 

• ACL Engine Maxed out error: Salsa4 did not reach a STOP node(permit/deny) at the end of maximum number of 
lookups (software configurable register). The DRAM Catastrophic Error Address register gives the address infor- 
mation. 

• ACL Engine uncorrected ECC error: Salsa4 encountered a uncorrectable ECC error during a DRAM read. The 
DRAM Catastrophic Error Address register gives the address information, 

• ACL Engine out-of -range error: 

S-ACL hash table errors(due to software bugs or insufficient memory) are reported by errmsgs. The following debug 
commands on the linecard allows further debugging: 

• debug ip access hash 

• debug ip access detail-hash 

The following commands show the S-ACL hash table and nodes information. If the above debugs are turned off, only 
the "useful" nodes are display, otherwise all nodes in the hash table, including stop nodes are printed. 

• show access hash <port-number> { nodes } 

6.0 Algorithmic Description 

6.1 ACL Items mapping to ACL Nodes 

Each ACL item may contain checks(exact match or range) for source IP address, destination IP address, 
protocol type, source and destination TCP/UDP port numbers and TOS. This translates to multiple ACL nodes, 
each node checking one value of the field (or multiple fields for TOS/Protocol). When we parse each item we 
set the "Miss'* address in each of these nodes to a new Stop node, which is that index's "last node". Since we 
need to keep the ordering among ACL items, we use this "last node" as the starting node for the nextACL item 
that hashes into the same hash index 

For example, item 7and 20 of an ACL, which map to the same hash index, are inserted in the table with a last 
stop node. Now we want to insert item 23, also hashing to the same index, starting from the last node. 
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6.2 Dynamic ACL Hash Key selection algorithm 

Using the above ACL item to node allocation method, the worst performance is obtained when Salsa4 is made 
to walk all the ACL nodes for given hash index and terminates at the last node 

We can reduce the distance to the last node by picking the right bits for ACL Hash Key selection. 

Consider each ACL item to be represented as a "select" bitmask of <src_ip, dst Jp, protocol, src_port, dst__port, 
tos>, where a field's bit = 1 if the ACL item checks the field, else field's bit = 0. 

If a field (e.g. bit 9 of destination IP address) is selected for determining the hash key, and if the corresponding 
bit in the item's "select" bitmask is 1, then the item's ACL nodes need to be inserted only in the hash index for 
which the bit is either 0 or 1 (depending on ACL item's value). If the "select" bitmask is 0, then the item's ACL 
nodes need to be inserted in all hash indexes where this bit is either 0 or 1. 

Our algorithm maintains two counts, zero_count(for bit=0) and one_count(for bit=l), for each bit in the 
"select" bitmask. For each ACL item, we get a "per-item-wt" by multiplying the number of nodes for that ACL 
item with a per- ACL weight(default 1), If the "select" bitmask for that bit = 0, we add the "per-item-wt" to both 
zero„count and one_count. Else, if the item bit value in item is 0, we add the "per-item-wt" to zero_count only. 
Else if the item bit value is 1, we add "per-item-wt" to only one_count. 

Worst case performance penalty of not selecting a bit in the hash key is given by max(zero_count, one_count) 
for that bit. Worst case performance of selecting the bit in the hash key is given by the min(zero_count, 
one_count) for that bit. 

We seek to minimize the maximum performance penalty of selecting the bits. Hence we sort the 
min(zero_count, one_count) of all the bits and pick up the first "n" (for Salsa4, n = 10) bits. If there are two bits 
with the same min() value, the max() is used to differentiate the bits. 

The per-ACL weights represents the amount of traffic hitting each ACL. These weights may be assigned by the 
user or calculated by the amount of traffic hitting the ACL as a percentage of all the traffic. 
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Traffic distribution may be skewed towards one protocol (e.g. IHTTTP with TCP/IP) and the ACLs may not 
represent this factor. We use a "per-field" weight to compare the performance penalty of selecting a field that 
may not be varying as much as other field. 

7.0 SW Restrictions and Configuration 

(1) S-ACL does not currently support ACL lookup for CAR or output ACLs. 

(2) Currently support is only in 12.0S (no support is planned for 1 1.2GS releases) 

(3) S-ACL is not supported for subinterface ACLs. 

(4) S-ACL tree updates are not done on the fly, since Salsa4 may walk down old/unused paths. 

8.0 HW Restrictions and Configuration 

(1) For multiported TTM LCs (e.g. FE), we do not have multiple hash keys for the different hash tables. Since same 
hash key is used for multiple ports, a long ACL on one port may influence selection of hash key bits, thus influencing 
performance on other FE port using same hash key. 

(2) Port information for selecting hash table is either in the INPUT_WFO field of BHDR or the 4B POS header(FE). 

(3) Maximum lookup counter is implemented to prevent Salsa4 from getting lost in a corrupt ACL tree. This requires 
software to perform the rest of the lookups if a valid result requires more S-ACL checks. 

(4) 8 port FE LC requires 4MB memory (8 chunks aligned at 256KB) for the 8 hardware ACL hash tables. If this 
memory is not available during initialization, S-ACL support may fail. 

9.0 External Restrictions and Configuration 

S-ACL support for GE is dependant on GSR product team approval for Salsa4 GE LC as an "enhanced" linecard or a 
new feature on existing linecards that may require a hardware upgrade of existing linecards. 

10,0 Development Unit Testing 

S-ACL unit test cases should verify the functionality for different types of ACL nodes(permit and deny) that can be 
generated by ACL configurations: 

L Source IP address with mask of 0.255.255.255, 0.0.255.255, 0.0.0.255 and 0.0.0.0 

2. DestinationIP address with mask of 0.255.255.255, 0.0.255.255, 0.0.0.255 and 0.0.0.0 

3. Protocol types: TCP, UDP, ICMP, IGMP, IGRP, EIGRP, IGRP, IPINIP, NOS, OSPF 

4. TCP/UDP Source/Destination Port: port numbers with operations eq, It, gt. 

5. ICMP/IGMP Source/Destination port numbers with operations eq. It, gt. 

6. TOS values with combination of Source/Destination port numbers indicated above. 

Other unit tests are to populate the ACL Hash table with at least one ACL item and check for validity. Example: 

(a) Configure 1024 ACL items each with incrementing source/destinaition IP address, with alternating permit/deny 
values in each item. 

(b) Send traffic for 1024 source/destination IP address and verify that Salsa drops/permits the packet and updates the 
right ACL item counters. 
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Other unit test is use "S-ACL debug" mode, where we configure 1000+ item list with incrementing source/ 
destination IP address or TCP ports or protocol fields. Configure "debug access switch" on the linecard that verifies 
the output of the S-ACL lookup with the conventional or Turbo-ACL lookup. Scripts then send traffic with 
incrementing source/destination IP addr or port or protocol numbers. Any mismatch between S-ACL and Turbo-ACL 
is reported via error msgs with packet dump and Salsa4 registers for further debugging. 
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Section 1. Introduction 

As the Salsa ASIC is being employed in multiple GSR 12000 Linecards, new requirements for this design have 
emerged that necessitate a spin. The following functionality is being considered for the spin, which is being called 
SALSA4: 

• ECC Protection on Routing Table Memory (EDO) Interface 

• Hardware based access list implementation. 

Each of these features are discussed in much detail in the following sections. They have been implemented with 
the following assumptions: 

• Pin-for-pin compatibility with previous revisions of Saisa. This limits Salsa4 to the original 503-pin EPBGA 
package and the LSI G10p process. 

• Quick turnaround solution, that provides chips in hand within 3 months. 

• Low risk changes that can be easily synthesized and verified within the allotted turnaround time. 
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Section 2 Functional Description of IVIodifications 



2.1 Hardware-based access-list filtering 

TTM based multi-port linecards (primarily DS3, Fast Ethernet and Gigabit etheret) are not expected to 
sustain an acceptable packet rate with software-only based extended access lists. The following 
performance has been demonstrated with "benchmark" access-lists obtained from ISPs. 



Table 1: Performance of Extended Access Lists on exisitng GSR linecards, 
using a software-only approach 



Access List 


Linecard 


L2 Cache? 


Performance 


Internal (256 entries) 


Jaguar 


Yes 


38Kpps 


Internal (512 entries) 


Jaguar 


Yes 


32Kpps 


Internal (256 entries) 


QOC3 POS 


No 


35Kpps 











2.1.1 The ACL Tree 

Salsa4's solution is a hardware engine that traverses a ilnked-list implementation of the ACL (the 
ACL tree). There are several start points to the tree, and these are stored in a hash table that is 
accessed once per packet. There is one tree for each port of the linecard. Each entry in the user's 
access-list corresponds to one or more nodes in the ACLtree. The diagram below shows the 
implementaion: 
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Each node in the tree is an instruction to Salsa4, to compare one or more fields of the incoming packet, 
against a value determined by the ACL The node is a 64bit entity of the following format: 
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32 2 4 10 8 8 



operand 


target 


opcode 


node base 


nnatch offset 


miss offset 



operand This field is the value to be compared against, but its format 

depends on the type of comparison defined by the opcode bits . For a 
32 bit compare^ this field is the entire 32bit value to be compared 
against. For 16 bit compares, the upper 16bits is the value and the 
lower 16bits are mask bits. 



target The target field indicates to Salsa4, which field in the incoming 

packet is to be used for the compare. The decode is: 

00 Source Address 

01 Destination Address 

10 The 32bit concatenation of {Dest.Port, Protocol , TOS> 

11 The 32bit concatenation of {SourcePort, Protocol, TOS} 



An opcode to define the type of compare: 

0000 STOP. (See operand field for information on permit/deny) 

0010 16bit compare of UPPER 2 BYTES of target 

0011 16bit compare of LOWER 2 BYTES of target 

0100 16bit greater-than compare of UPPER 2 BYTES of target 

0101 16bit greater-than compare of LOWER 2 BYTES of target 

0110 32bit compare against ACL Mask Register 0 

0111 32bit compare against ACL Mask Register 1 

1000 32bit compare against ACL Mask Register 2 

1001 32bit compare against ACL Mask Register 3 

1010 32bit compare against ACL Mask Register 4 

1011 32foit compare against ACL Mask Register 5 

1100 32 bit compare against ACL Mask Register 6 

1101 32bit compare against ACL Mask Register 7 

1110 32bit compare against ACL Mask Register 8 

1111 3 2bit compare against ACL Mask Register 9 



This is the lObit base address for the next node addresses. This base 
is not to be confused with the PORT base address, discussed later. 

Base offset for the next address, if the operand matches the target 
address 

miss Base offset for the next address, if the operand does NOT match the 

address target 



node 
base 

match 



Thus, as an example the access-list entries.. 

access-list 101 permit top any 2.2.2.0 0.0.0.255 eq 2000 
access-list 101 deny tcp any 2.2.2.0 0.0.0.255 

would be innplennented In the following manner, in the ACL tree: 
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Destination address = 2,2.2.x? 



Destination address = 2.2.2.x? 



' 2_2_2_0 


1 


4'blOOO 


OAC 


00 


20 


Destination Port = 2000? Protocol 


r 

= TCP? 


2000_tcp_0 


2 


4'blOOO 


OAO 


40 


60 


Stop & Permit ^ 


r 




2_2_2_0 


1 


4'blOOO 


OAO 


80 


88 


Stop & Deny. 









4'bOOOl 











4'b006o 







Because of the inter-dependance of entries in the list, and as the example above also reveals, it is 
very important for software to maintain the user's order of ACL entries when constructing the tree. 
Without this, it is possible for packets to be permitted or denied incorrectly, it is suggested that 
software start from the bottom of the list and proceed upwards, inserting entries to the left of nodes 
in the tree, 



2.1,2 A Perl program to determine Hash size 

A peri script has been written to estimate the performance in pps, of access list lookups after they 
are hashed. The program converts actual ACL configurations into a hashed array of compare 
instructions, and provides relevant statistics on the size of trees stemming from the hash table 
buckets. The program has been written by Faisal Haq and Hari LaigudI, and is included in an 
Appendex at the end of this document. 

Based on a large database of customer access-lists (used for the design of the Toaster ASIC), and 
on ACL configurations sent to the Optical internetworking BU from AOL, results from this program 
suggest a 1024-bucket hash table as being most optimal. Larger hash tables tend to reduce the 
overall depth of trees stemming from the buckets. Smaller hash tables consume less memory and 
are quicker to update. It was found that the incremental reduction in average tree depth was lowest 
in going from 1024 to 4096-bucket hash tables. Thus we havev chosen 1024 as the size of the 
hash table, implying a 10-bit hash key. 



2.1.3 Determining which fields are used in Hash Key 

Many of the entries in a list are mutually exclusive and it is this characteristic that allows for a 
performance improvement through the use of a hash table. For instance, we could group all entries 
in a list by the first ten bits of the destination address (still preserving order within groups!!). Then 
for each packet, Salsa4 would use the first ten bits of the destination address to lookup a 1024- 
deep hash table that would then point it to all related ACL entries. 
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Grouping by destination address as it turns out nnay not be optimal for two reasons. 1) Entries with 
an "any" in the destination address field would have to be replicated on all 1024 buckets, which 
would make the table large and impact performance for every packet being hashed. 2) Depending 
on where it is deployed, the linecard may receive packets destined for only a few addresses, and 
Salsa4 would not use the hash table uniformly over ali buckets. 

After many iterations with various keys, it was determined that no one key would prove optimal 
across the entrie suite of customer ACLs. It was then decided to go with a software-selcectable key 
that was customized for the ACL entered by the customer. The criteria for selection is for bits that 
occurr most frequently in the ACLs and occur evenly as a 1 and a 0. 

So in the example below, 

access-list 101 permit top any 2.2.2.1 
access-list 101 deny tcp any 2.2.2.254 

the last 8 bits of the destination address would be among the bits chosen for the key since they 
occur in both entries, once with a value of 0 and an once with a value of 1. In contrast, the 
remaining bits of the destination address occur only £is one value. This algorithm was writen into 
the perl program mentioned in Section 2.1 .2. 

The hardware design in Salsa4 allows software to select the fields used in the key, on a per-bit 
basis, 

2.1 ,4 ACL Search Start and Stop Conditions 

Once a packet is received in Salsa4, the MTRIE lookup logic will commence. It will complete within 
4 DRAM lookups. Once the state-machine controlling this activity has returned to an IDLE state, the 
ACL lookup state machine shall begin. It generates a hash key using bits from the incoming packet, 
as specified by the software-programmed registers. 

The hash key points Salsa to a chain of ACL nodes. An internal maximum-counter is clocked on 
each node lookup. Should that counter reach 0, the ACL lookup is terminated and the results are 
iayed out in the "ACL Engine Status Register" on page 47. However, if a STOP node is found at or 
before then, the ACL lookup is ended and the results are presented in this register. 

A STOP node has a special format, as shown below: 



32 


2 


4 


13 


13 


operand 




0000 
STOP 







Table 2: Decode of information stored in the OPERAND field of a STOP node. 



Bits 


Description 


[31:4] 


ACL number associated with this STOP 


[3] 


Deny/Permit 

0 - Deny 

1 - Permit 
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Table 2: Decode of information stored in the OPERAND field of a STOP node. 



Bits 


Description 


[2:0] 


Reserved, O's 



The contents of the operand field are copied into the "ACL Engine Status Register". 



2.1 .5 Limitations of the Salsa4 Approach 

• The hardware to lookup the hash table and then follow the ACL tree will be added as an exten- 
sion of the MTRIE lookup engine on the Rx BMA interface. This produces the most significant 
limitation of the Salsa4 approach -- it can ONLY work on the Rx side. Output port based access- 
lists would still have to be done in software. 

• Salsa4 must handle per port access lists. Support for upto 8 individual ports is provided. 

• Port information for each packet can be found in either the INPUTJNFO field of the BHDR or in 
the 4-byte POS header (as used by the Eiffel project). These are the only 2 places that Salsa will 
look for port Information. 

• A maximum lookups counter will be implemented as well, to prevent Salsa4 from getting lost in a 
corrupted ACL tree. This programmeable counter maxes at 1 024 lookups, after which the packet 
is presented to the processor along with the address of the most recent access. Our tests show 
a number of cases where the lookups exceed 32. Beyond this point it is better to have software 
perform the lookups, since it may have better performance than hardware, given the L2 cache 
onn the board, 

• The node format of a node-base, with 8blt match and miss offsets means that miss/match nodes 
stemming from the current node. MUST be within 2K Bytes of each other. 

• The ACL tree size per port is limited to 2''"' . With 1 8 bits (excludes 3 LSbits, since nodes are on 
Sbyte address boundaries) remaining for addressing, we have a per-port limitation of 256K 
nodes. Note: that is 256K nodes, NOT acl-entries!l. Note that each ACL entrie may be imple- 
mented in as many as 4 nodes. 

• ACL entries with protocols not using source/desintation ports (icmp, igmp, eigrp, gre, igrp, ipinip, 
nos and ospf.) will be treated as having "don't care" ports. This is because Salsa will not recog- 
nize these types of protocols and will treat them like tcp/udp. As a result these entries will be rep- 
licated over any buckets that are represented by PROTOCOL bits in the key. (That was pretty 
confusing) 

• Tree updates on the fly if needed, would require special handling by software to make sure 
Salsa4 Isn't sent down old or null branches. 



2.1.6 Implementation in Hardware 

The implementation is best summarized In the diagrams that follow. It involves an internal state 
machine that iteratively walks through the ACL tree, starting first at a hash table, and subsequently 
following either the match or miss address of each ACL node it encounters. A maximum of 1024 
ACL nodes will be Iteratively read, after which the stsite machine stops and delivers the last read 
node. Software will then continue the search as needed. Ofcourse, if the state machine encounters 
a "Stop with Deny" or "Stop with Permif node, that too will terminate the search. 

The area for this logic is approx twice that of the MTF^IE lookup engine in Salsa4, That area was 
approx 8000 gates. There should not be any difficult^^ fitting this additional logic into the existing 
floorplan. 
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Rx Packet 




opcode 
operand 



match address 



miss address 



compare 
logic 



becomes select 
line for match/ 
miss address 



Figure 1: Comparison logic used to match/miss on a node's operand 
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node 
base 



Rx packet 



BHDR input info 



POS header 



d7 




match offset 




hash key 



/ 



miss offset 



software settings 



3'bOOQ / 



8'bOOOOO 



[31:21] 



address to hash table [31:0] 



address to next node [31:0] 
[31:21] 



[20:11] 
[10:3] 



3'bOOO 



controlled by 
internal state 
machine 



ACL node read from DRAM 



result of compare 
operation on current 
node 



Figure 2: Addressing logic for AC!- lookup engine 



2.1 .7 Expected performance 

Performance calcuiations with Salsa4 are made complicated by the hash table. Some lists off the 
hash table may be over 70 nodes long, others just 1 node long. The worst, typical and best case 
numbers below use the longest, average and shortest length lists In each hash table to illustrate 
this fact. As discussed before, we expect incoming traffic to hit all budgets of the hash table, evenly 
and therefore, the typical number would be most likely seen. 
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These calculations are based on a 650Kpps packet rate, with any ACL engine delays added to the 
1.538usec per-packet switching delay. Each "check" takes 160ns (includes RAS precharge tinne on 
the EDO) to complete. 



Table 3: Expected Performance of Extended Access Liists with Salsa4's ACL 
Engine 



Access List 


Performance 
Worst 


Performance 
Typical 


Performance 
Best 


Internal (256 entries) 


28Kpps 


266Kpps 


650Kpps 


Internal (512 entries) 


14Kpps 


171Kpps 


650Kpps 


AOL (315 entries) 


91Kpps 


352Kpps 


558Kpps 


McGill (91 entries) 


86Kpps 


352Kpps 


485Kpps 


ATT (322 entries) 


192 checks 
SIKpps 


7 checks 
376Kpps 


2 checks 
538Kpps 


BT (1035 entries) 


214 checks 
28Kpps 


24 checks 
186Kpps 


2 checks 
538Kpps 


SWBelll (940 entries) 


1768 checks 
5Kpps 


113 checks 
51Kpps 


4 checks 
460Kpps 


SWBell2 (821 entries) 


488 checks 
12Kpps 


10 checks 
319Kpps 


0 checks 
650Kpps 
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2.2 ECC Protection on DRAM Interface 



ECC protection on all 64bits is being added between Salsa4 and tine EDO DRAM Routing table Memory. 
The 8 additional bits on this interface currently being used for parity, will be used as part of the ECC 
syndrome. 

The integration of the ECC data path with the existing parity checking path is shown below:. 

K 



Jh 



parity 








check 




> 





From 
P4 



EGG 

syndrome 
generation 



diags syndrome 



> 



to/from 
DRAM 



parity 
generation 



ECC checking 
and correction 
(if necessary) 



2.2.1 Parity handling on DRAM writes by P4 

During a write, the only check Is for parity on data being read out of the write buffer. If a parity error 
is detected, 

- interrupt is sent to the processor 

- write address is captured 

- appropriate bits are set in the "DRAM Error Status Register" 

- write is aborted. 

If there is no parity error or if checking Is disabled, parity bits are dropped, an ECC syndrome Is 
calculated and written to DRAM. It is possible for software to substitute the Salsa-calculated 
syndrome with a value written into a register. 



2.2.2 Single-bit error on a DRAM read by P4 

If ECC-single-bit-error-notification is enabled, 

- the processor is interrupted 

- DRAM address is captured. 

- Corrected data (if single-bit-error-correction is enabled) or original data (if not) is passed on to the 
parity generation logic and then on to the P4 

- the occurrence of this error is captured in a clear-on-read bit in the "ECC Status Register" 

if ECC-single-blt-error-notification is disabled: 

- the processor is not interrupted 

- address and status are still captured 

- Corrected data (if single-bit-error-correction is enabled) or original data (if not) is passed on to the 
parity generation logic and then on to the P4 
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2.2.3 Multi-bit error on a DRAM read by P4 

It is not possible to correct this type of error. 

If Bus-error-on-muitibit-ECC-error is enabled 

- Bad data is fonA^arded to the P4 with good parity, but with a bus error. 

- DRAM address is captured 

- the occurrence of this error is captured in a clear-on-read bit in the "ECC Status Register" 

If Bus-error-on-multibit-ECC-error is disabled 

- Bad data is forwarded to the P4 with good parity, and no bus error 

- address and status are still captured 



2.2.4 Single/Multl Bit Errors on DRAM reads by ACiyMTRIE engines 

When the ACL and/or MTRIE LU engines encounter an ECC error, notification is made through 
status registers associated with each incoming packet. 

If ECC-singie-bit-error-notification is enabled, 

- a bit is raised in either the "ACL Engine Status Register" or the "Receive BMA Packet Synopsis 
Register". 

- DRAM address is captured. 

- Corrected data (if single-bit-error-correction is enabled) or original data (if not) is used in the 
lookup 

- the occurrence of this error is captured in a clear-on-read bit in the "ECC Status Register" 

- the engine continues searching 

if ECC-single-blt-error-notification is disabled: 

- ECC SBE's will not set the error bit in the engine status registers 

- address and status are still captured 

- Corrected data (if singie-bit-error-correction is enabled) or original data (if not) is used in the 
lookup 

- the engine continues searching 

If Bus-error-on-multibit-ECC-error is enabled 

- a bit is raised in either the "ACL Engine Status Register" or the "Receive BMA Packet Synopsis 
Register". 

- DRAM address is captured 

- the occurrence of this error is captured in a clear-on-read bit in the "ECC Status Register" 

- the engine stops immediately 

If Bus-error-on-muItibit-ECC-error is disabled 

- ECC MBE's will not set the error bit in the engine status registers 

- address and status are still captured 

- the engine stops immediately 
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Section 3. Manufacturing & Test Considerations 

The following is tfie output of isistats, on the first revision of Salsa. It is packaged In a 503 pin EPBGA. 

Section One: Design Siiiranary 



Top Module: 
Technology : 
Array Type: 
Mftg Code: 
Pad Pitch: 
Dimension: 
Routing Layers : 
Package Name: 
Package Desc: 
Primary Voltage: 
Secondary Voltage: 



salsa 

IcbglOp 

IcbglOp 

Not Available. 
2 , 9wire 

(X = 9.510, Y = 
2 

iw51 

Not Available. 
None Specified. 
None Specified. 



9.510) 



Section Two: Design Statistics Summary 



(1) . I/O Statistics 

Input Pads Used: 29 Input Slots Used: 31 

Output Pads Used: 1 Output Slots Used: 1 

Bidirect Pads Used: 308 Bidirect Slots Used: 308 



Input Pins Used: 31 
Output Pins Used: 67 
Bidirect Pins Used: 242 



Total Pins Used: 340 
Total Pads Used: 338 
Total Slots Used: 340 



(2). Design Statistics 

Logic Units Used (lu) : 360655.00 

Megacell Units Used (mu) : 227083.17 

Chip Raw Units: 3249856.00 

Logic Units Usage: 0.119 

Chip Usage: 0 .181 

Total Cells: 26592 

Total Cell Types: 163 

Total Units {lu + mu) : 587738.17 

Total Signal Nets: 28745 

Total NC Nets: 2 

Average Pins/Nets: 3.616 



An additional 112 slots on the die are used for power/ground pairs. 
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Section 4. Software Considerations 



The following tables show the Address Maps for the linecard, linecard-l/0 and Salsa4. There have not been any 
changes to these maps in this rev of Salsa. 



4.1 Line-Card Address Map 



OxFFFF_FFFF 
OxFOOO_0000 

OxEO00_O000 

OxDOOO_0000 

OxCOOO_0000 

0x8000_0000 

0x5000_0000 

0x4000_0000 

0x2000_0000 

0x1800_0000 

Ox1000_0000 

OxOOOO_0000 



Receive Pkt. Mem. (not for TTM) 



Receive Packet Memory 



Transmit Pkt Memory (not for TTM) 



Transmit Packet Memory 



Reserved 



Main Memory (Expansion) 



Main Memory * 



Reserved 



Boot FLASH Memory 



Line-Card I/O Address Space 



Main Memory * 



256M 



256M 



256M 



256M 



1G 



768M 



256M 



512IVI 



128M 



12dM 



256M 



* Mapped at mupltlpie locations 
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4.2 Line-Card I/O Address Map 



0x1 7FF FFFF 
0x1200 0000 

0x1 ICO 0000 

0x1180 0000 

0x1140 0000 

0x1 OCO 0000 

0x1040 0000 

0x1000 0000 



PLIM Address Space 



Maintenance Address Space 



ToFab FIA ASIC Address Space 



FrFab FIA ASIC Address Space 



Receive BMA ASIC Address Space 



Transmit BMA ASIC Address Space 



SalsaASIC Address Space 



96M 



4M 



4M 



4M 



8M 



8M 



4M 



4.3 Saisa ASIC Address Map 



0x1 03F FFFF 
0x1030 0000 

0x1 02C 0000 

0x1028 0000 

0x1024 0000 

0x1020 0000 



Reserved'* 



Reserved** 



Transmit Packet Window 



Reserved** 



Receive Packet Window 



1M 



256K 



256K 



256K 



256K 
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0x1010 0000 



0x1000 0000 



Reserved ** 



IM 



1M 



Salsa Register Address Space 



** These areas are reserved for future expansion. For this impiementation version of the Salsa ASIC, 
accesses to these address spaces are illegal and therefore result as bus-error for read operations or 
erroneous interrupt for write operations 
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Section 5. Updated Register List 

For the sake of completeness, both existing and new registers are shown below. Existing registers are shaded. 



Table 4: Summary of Registers 



Register Name ; ;^ 


Access 


Address 


Section 


Wafech- Dog Timer _ ^ ' ^ ^ /Vi/. 


"&-bit R/W' 


-OxlOpO 0004 




General -Puripose Counter ; \^ J - J^C 


;16-b;it R/W ; 


;^pxioo,a oooc 




Real -Time /interrupt T|imer " ' ^ ' {"S^?' 


^'tt-^bit'='R/w' 


''6kiq.o.6' ooi4_ 




Receives' Network' Disali>le Titt^f'"^''-'^"^- ; ^^'Hr-^ri''^-- 


l^e^bijtl R/W 


'^^xio.o;0; ooic 




Transihlt^'iJetwork Disable Tli^^^r ' ^^-Plslg^^; 




:.0?clOW' 0024 




Rec^we^ BMA' Bus , Time -Out Cduiit^^rj^ 'it^kl' 


'ifefiafc^i^R/W^'^ 


:0xl;0;(>^^ 002C ^ ^ : 




Tra;nj^^tt'^BHA Bus Tim^^'Out" Counter 


^''IS-bitv/rR/W'^f 


^O^iQ0;broo34,. 




Line-cardv;i/0 Bus Txir^e-OutilCo'unter ; 


:riafbi t ^ R/W^S' 


i.:0xipctci; 003C 




Tijmers/Cotinters Control R^:g;f^;t:'§,r - - ' / 




SxlOOO 0044 


Xi '^r 


Interrupt .Cause;' Register i^^<^ "^Z'^. <' 




..o^i^ppo^ oo4c 


;i5p';,\ \ 


Int e,rrupt Mask Regi s te'r ' - <^ > . -L " ^ ; / .. ' 


'^16^fii:fi\R;/W--^^ 


-SKlO^Op ^005-4 




Real -Tame 'interrupt Clear ^^eyfster.,, . . 




;^^iooo= 005C 




Rieset; to BMA Register : X'i^:. VCtii?'' " 


^8-bi.trR/W'r;; 


fi||;bo;p^ 0064 


13 : i, -:;v: 


Rieqexye Packet Done Register^- . , ^ 




10x1000 00'6C 




Transmit Packet Done - Reg ister^^^^y^^^,/ / 


^^^B^-bit.^lW^^'- ^^'"^--^ 

- 'r^;i.<'> - - 


, oil 000 0074 


' & 


L3:Asic .ipi^^gister ^ ^ " 




>|il000' 00?C 


16 V ^ V 


' Memory ;„Cbnf dgura t i on / Reg i s'ter " ' ' '^^ 




yO:^L00:0^ ^0084 


1 / , ■■' .J''' 


Mempry Combination Register _ ^r^^r^ 


'^^a,-:bifi-R7w>ii: 


3xi^&00 008C 




L3 Performance Enhancment Register V.^f.. 


;:a-bit';^R7w ; ^; 


-oxioao 0094, 


19 


Error Checking Enable Reg.ister 


8-bit R/W 


^"0x1000 009C, 


2p' 


Receive ^ip^ Bus Error Sta^t;:iib .Reg^ister 


8-bit^^^R ^ 


yftxlOOO 00A4, 




Transmit' BMA Bus Error Stattfs/ Agister 


^8~bit:R'^ ^ 


'0^1 000 OOAC, 


'22' \ ' 


DRAM Error Status Register 


,8^-iDit^;,Il ^^1^^ ^' 


6x1000 00B4 


23 


Line-card I/O Bus Error Status Register 


S^bit ^ ..^ 


OxiOOO OOBC 


24 


DRAM Catastrophic Error Address Register 


32-bit R 


0x1000 00C4 


25 
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Table 4: Summary of Registers 



Register Name 


Access 


Address 


Section 


Receive^ BMA Address Exception Register 


32-bit <R 


0x1000 oocc 


26 


Tr aiisjS'jb t BMA . Addr e s s , Exc ep t i 6n Regi s t er 


3 2 -bit ^ 


-0x1000 00D4 


' 27 


.1/0 :A39[i:ess Ekcep;|cJ.oii Register ^ ' ; 


32-hifos*=^^^^ " 


tOxlOO'br OODC 


28 ' ' 


Ij3 ^Iriterrupt Status laf ormation Register;! 


8-btt-|^«:;,:jy- 


"0x1000 00E4 


29, 


Receive rBMA Packet S^'opsis EegistiP' 




^6x1000 00F4 


, 30 


Regei^^e, gMA . Hardware; '^^A's s is t Re.gi s t er 


ST^Bifc^Riw^ ^ 


,0x1000 OOFC 


^ 31 ; 


Receive BMA ^ff^^^^^r^cB InfppciJjillon ^ 
Regi^jt^r; . \ . .^,4; - 


8^bpyiite^^^=^^^^ 


^'0x1000 0104 


>32' - 


Register, ''^ ^/^:"'''"t 




Soxitfbd 'oipc. - 


23/ ' 


^TransStE^BM^^ 

^ Recfist4r .a.. ■ ; SS-lw^ ' " ^ ^f^t ' ^^^^ 




^SxlOOb.0114 


34 


'TransMtalBm;r^Bufrer;'^ Flush -m€o^rinatlon m- 




^^o^ciooo ol^^c^^^'^ 


'35 


RedeixE: bM| Packet ;Up(d^tdffi;fyLfp" RegSste;^:: 




^fi5xl0,G0^ 0124 


36 > 


Recei^fe""3>^Li^'1 .ibr^otbcoi-'-O adentif x'fer Begis-^:i 




- OxlOGG' ai2C 


37- ' 


Keced^X^v-Blvpv,;&6'tdcdr' 1- Xde|i^tl;^fl.er 'R^gis^l: 




;o^rooo 0134^ \ 


38 . 


^^e p,eiy^p. BMA^-^s^Pr b t o c oT''^''^* - Td^'R;fcs-3L;£x e r Rfe'g i s,^1^^ 


-'S2-Bi't:^ r7w ' 




39 


Receive.:^.:gm^.I?r'6t:febl^^ Ment'irfier R'egis-^?>; 


Ir3'2^bit:!iyw" 


-oxib<fb^'"Q;i44.; : 


40 


'p:IB\.I?p:dt ^ Re^gsiter'p'^J^^^^^^^^^^^ 


^'32'-bit R/^^!y 


0x1000 '014C 


41 


^ LbaS-.i-^oAiit^ptr., ^.egi^^^^SS'^vf-^^.^^.;' ^ , \ ^'-'^^ ' -i.^ 


.32-^bit'"R;"''''^'^^'^^ 


bxlboO 0154 


42 


Lookup .ResultyReg^^ter ' - . ;^ ^- 


''32^:b±tVi^;;^ / 


; 0x1 bob' bisc ^ 


43 


Di agnos tic" "acc p s s tqSjRe c e iXre ' BMA ^ ^ 
Prefetch Buffer 0/ ^> \ , . 


6i;-bit^ R/W. 

;;i;}5yte y^) , 


;iooo_rooo - 

loooiiiosF 




DiaghVstic/accesaHto ^Receivfe ^ BJIA 
Prefe.tph ^uf fe^r , ' 'v.^^r^ 




. 100 OHIO'S 0 - 
. lOOOJODF 




Diagifqs'jbie;£|L^dces|'';^^^^ BMA , ' ' 
. Prefetch Btiff'^r 52'; - ' 'l^, 


64"bit/^R/W^ ' 


' lOO'OJlOO - 
lOOO^il^F 




Diagnostic ;:access 3tQ Transmit BMA 
Prefetch Buffer 0 ^ 


64-bit.;R/W 
(byte.^WR) ^ 


1000„1200 - 
. 1000_125F 





Cisco Systems, Inc. 



Page 19 of 66 



1 1 January, 2000 



Salsa4 ASIC: Hardware Specification: ENG-31157, Rev. 0.2 



Table 4: Summary of Registers 



Register Name 


Access 
Type 


Address 


Section 


Diagnostic access to Transmit BMA 
.Prefetch Buffer 1 


64-bit R/W 
(byte WR) 


1000^1280 - 
1000_12DF> 




piagnostic acQ^ss to Transmit BMA 
Prefetch Buffer 2'^ ' 


64-bit R/W 
(byte WR) 


1000_1300 - 
1060_135F 




Diagnostic a^Gcess to DRAM Write Buffer 


64-bit R/W 


1000_1500 - 
lOaO 15BF - 




''Diagnostic access ^ to Receive BMA Write 
XBuffer^ - 


64-bit R/W 


1000 1600 - 
1000_16BF 




..'Diagnostic aqjsess 'tO;; Transmit 'bma^ Write , 
Buffer " ^ V '-^ 


64-bit:/?R/w' 


1G;00_170'0 - 
=ip00ll7BF 




rortu AOL iree base Register 


32bit R/W 


0x1000 0164 


44 


Port1 ACL Tree Base Register 


32bit R/W 


0x1000 01 6C 


45 


rOTXd AOL Iree base Register 


32bit R/W 


0x1000 0174 


46 


Ports ACL Tree Base Register 


32b it R/W 


0x1000 017c 


47 


Port4 ACL Tree Base Register 


32bit R/W 


0x1000 0184 


48 


Porto ACL Tree Base Register 


32bit R/W 


0x1000 01 8C 


49 


Port6 ACL Tree Base Register 


32bit R/W 


0x1000 0194 


50 


rortz AOL Tree Base Register 


32b it R/W 


0x1000 01 9C 


51 


ACL Engine Config Register 


16bit R/W 


0x1000 01 A4 


52 


ourrent AoL Node HI Bytes Register 


32bit R 


0x1000 01 AC 


53 


ourrent aol Node Lu Bytes Register 


32bit R 


0x1000 01 B4 


54 


ourrent aol nasn r\ey Register 


8bit R 


0x1000 01 BC 


55 


ACL Engine Status Register 


32bit R 


0x1000 01 C4 


56 


A^^l E I^^A^ t^AL J ^^aIaaXIam r^AAk!^x^» 

AOL Hash Key Selection Register 


32bit IR/W 


0x1000 01 CC 


57 


AOL riasn rvey oeieciion Register 


32bit l^/W 


0x1000 01 D4 


58 


ACL Hash Key Selection Register 


1 6bit l=VW 


0x1000 01 DC 


59 


ACL Compare Mask 0 Register 


32bit R/VJ 


0x1000 01 E4 


60 


Ar^l r^nmnprp MaQk 1 Ronictor 
rv^i— \^\jt I lyjCLf ividorx 1 rioyioLci 


QOKit DAA/ 

o^DIl n/W 


UXIUUU Ul bO 


61 


ACL Compare Mask 2 Register 


32bit R/W 


0x1000 01 F4 


62 


ACL Compare Mask 3 Register 


32bit R/W 


0x1 000 01 FC 


63 


ACL Compare Mask 4 Register 


32bit RAV 


0x1000 0204 


64 


ACL Compare Mask 5 Register 


32bit \yVJ 


0x1000 020C 


65 
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Table 4: Summary of Registers 



Register Name 


Access 
TvDe 


Address 


Section 


ACL ComDare Ma<?k fi Rpnicitpr 


OiZ.D\l ri/Vv 


rivi nnn Ao^ a 
UX1UUU Udl4 


66 


ACL Comoare Ma<5k 7 Rpni<;tpr 


O^uW ri/VV 


ri\^-t AAA AO^ o 

UXIUUU Uzil o 


67 


ACL Comnarp Ma^k ft Rpnf<;tpr 


o^un ri/VV 


Avr-I AAA AO A y( 

UXl 000 0224 


68 


ACL Cnmn^irp M?5<5k Q Rpni^tfar 


OOKii DA A/ 

o<iDII ri/VV 


AwH AAA /%00/^ 

0X1 000 022C 


69 


ACI May NnHpQ R*:sniQtor 


i fiKIf DAA/ 


AvrHAAA AOO Jl 

0x1000 0234 


70 


Ad Ciirrpnt r^niint Ronictor 


IDDIt H 


0x1000 023G 


71 


FCC f^tatiiQ Rpnicttpr 


IDDII h 


A»j-H AAA it jl 

0x1 000 0244 


72 


EGG Diagnostic Syndrome Register 


8bit PR/W 


Ovinnn oodc, 

VJA 1 \J\J\J \J^*+\^ 


/J 


EGG Config Register 


8bit F=t/W 


0x1000 0254 


74 


EGG SBE Address Register 


32bit R 


0x1000 025G 


75 


EGG SBE Syndrome Register 


8bit R 


0x1000 0264 


76 


EGG MBE Syndrome Register 


Bbit R 


0x1000 026G 


77 



There are eigiit count-down counters implemented in the Salsa ASIG to serve various purposes. All of 
these counters are 16-bit read/write . On power-on reset, all counters are disabled and loaded with a 
default count of 65,535 (OxFFFF). Under software control, each counter can be loaded with a known value 
and enabled through proper write operations. Each timer will count as many usee clocks as the 
programmed value (I.e. a programmed value of 5, will produce a timed interval of 4 to 5 usees). All reads & 
writes to the counters must be 16-bit accesses . 



After reset, the timer Is disabled and loaded with a default value of OxFFFF, Le. 65.535 msecs. 
Start values other than the default OxFFFF, can be programmed by writing to this address. If enabled the 
timer will automatically decrement, every lus if there is a non-zero value in the counter. The enable bit can 
be found in the "Timers/Counters Control Register on page 24. 

Should the timer reach 0x0000, an NMl interrupt will be generated and the timer stops counting. To clear 
the NMl flag, software must program a new value to the Watch Dog timer. A value of 0x0000 is acceptable 
if it is desired not to restart the timer. 

At any time, the Watch Dog Timer Enable may be switched off, At that point, any value can be written to 
the Watch Dog timer, without triggering the decrement logic. Note: This timer will not generate a reset at 
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end of count, as previously proposed. 



5.2 GeneraKPurpose Coyinter 

16-bit R/W 
0X1000 pfioC 



After reset, the counter is disabled and loaded with a default value of OxFFFF 

The counter is enabled and disabled through the "Tinners/Counters Control Register" on page 24. A 
predetermined count-down value can be loaded with a 16-bit write operation at this address. Otherwise, 
an after-reset default value of OxFFFF will be assumed. 

Should the timer reach 0x0000, an interrupt will be generated and the timer stops counting. To clear the 
interrupt flag, software must program a new value to the General Purpose counter. A value of 0x0000 Is 
acceptable if it is desired not to restart the timer. At any time, the General Purpose counter Enable may be 
switched off, Once this is done, any value can be written to the timer, without triggering the decrement 
logic. Note: This is different from the IRSP interrupt scheme. Software does not need to l<eep polling this 
counter! 









^•»:..".'J'J-"'-,>t*|jy._.. ; ..j/ " • ' 







After reset, the timer is disabled and loaded with a default value of OxFFFF 



The timer is enabled and disabled through the "Timers/Counters Control Register" on page 24. A 
predetermined count can be loaded with a 1 6-bit write operation at this address. Otherwise, an after-reset 
default value of OxFFFF will be assumed. 

If the counter is enabled, a decrement occurs once every usee. It will count down until it is disabled or 
when it reaches a value of 0x0001 . As a result, an interrupt will be latched and issued. On the next clock 
the timer will be reloaded with the previous loaded value. Software needs to acknowledge the interrupt and 
clear the interrupt latch by performing a write operation to the "Real-Time Interrupt Clear Register" on 
page 26. 



After reset, the timer is disabled and loaded with a default value of 0x0000. 



This special timer is used to disable the receive networi< interrupt \ox a period of time. Software must write 
a 16-bit value to this register, causing it to start decrementing once every 20ns if the timer is enabled. 
During the decrement, the receive network interrupt will be blocked. When the timer value reaches zero, it 
will remain there and un-block the receive network interrupt. The timer will not be activated until software 
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writes to it again. Note: This timer does not generate an interrupt! 

5J Transmit Network Disable Timer 

16-bit FVW 
0x1000 0024 

After reset, the timer is disabled and loaded with a default value of 0x0000. 

This special timer is used to disable the transmit network interrupt for a period of time. Software must write 
a 16-bit value to this register, causing it to start decrementing once every 20ns if the timer is enabled. 
During the decrement, the transmit network interrupt will be blocked. When the timer value reaches zero, it 
will remain there and un-block the transmit network Interrupt. The timer will not be activated until software 
writes to it again. Note: This timer does not generate an interrupt! 

' Receive BMAiusTm P\ v ^~ 

OxI^O^tfe.^ " '^55 \ ^r; V ^ ' 

After reset, the timer is disabled and loaded with a default value of OxFFFR 

A predetermined count can be loaded with a 16-bit write operation at the timer's address. The timer, 
however, will not be activated until a legal operation is initiated on the Receive BiVIA Bus by the L3 ASIC. 
The timer will be reloaded with the programmed count value and start counting down at a rate of one 
microseconds immediately after the Request cycle. It will stop counting if the counter is exhausted or 
when the bus transaction ends, i.e. when the bma_req_l goes away. If the timer expires before the end of 
the bus transaction, a corresponding error bit will be set in the Receive BMA Bus Error Status Register, 
Depending on the operation type, a bus error or an erroneous interrupt is posted to the P4 processor. Note: 
The count value should be selected to be larger than the longest bus transaction, I.e. the prefetch 
operation. 



After reset, the timer is disabled and loaded with a default value of OxFFFF. 

A predetermined count can be loaded with a 16-bit write operation at the timer's address. The timer, 
however, will not be activated until a legal operation is initiated on the Transmit BMA Bus by the L3 ASIC. 
The timer will be reloaded with the programmed count value and start counting down at a rate of one 
microseconds immediately after the Request cycle. It will stop counting if the counter is exhausted or 
when the bus transaction ends, i.e. when the bma_req_l goes away If the timer expires before the end of 
the bus transaction, a corresponding error bit will be set in the Transmit BMA Bus Error Status Register. 
Depending on the operation type, a bus error or an erroneous interrupt is posted to the P4 processor. Mote: 
The count value should be selected to be larger than the longest bus transaction, I.e. the prefetch 
operation. 
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5.8 Lin^-card I/O Bus Time-Out Counter 

ie-bitFil/w 
pxiQo6qo3c 

After reset, the timer is disabled and loaded witli a default value of OxFFFR 

The timer is enabled or disabled through its enable bit in the Counter Control Register @ 0x1 000 0044. A 
predetermined count can be loaded with a 16-bit write operation at the timer's address. The timer, 
however, will not be activated until a legal operation is initiated on the Line-Card I/O Bus by the L3 ASIC. 
The timer will be reloaded with the programmed count value and start counting down at a rate of one 
microseconds immediately after the Request cycle. It will stop counting if the counter is exhausted or 
when the bus transaction ends, i.e. when the io_strobe„l goes away. If the timer expires before the end of 
the bus transaction, a corresponding error bit will be set In the Line-Card I/O Bus Error Status Register. 
Depending on the operation type, a bus error or an erroneous interrupt is posted to the P4 processor. Note: 
The count value should be selected to be larger than the longest bus transaction. 





iflfgister ' t;S='-;. 

















After reset, the register is loaded with a default value of 0x00. 



The register is read/write through 8-bit operations. Immediately after reset, the P4 processor needs to 
write to this register with bit 2 set to "1" in order to enable the real-time interrupt. 

Bit Description 

4 Watch Dog Timer Enable 

0 - Disabled 
1- Enable 

3 General-Purpose Counter Enable 

0 - Disabled 

1 - Enabled 

2 Real-Time Timer Enable 

0 - Disabled 

1 - Enabled 

1 ''Receive Network Disable" Timer Enable 

0 - Disabled 

1 - Enabled 

0 "Transmit Network Disable" Timer Enable 

0 - Disabled 

1 - Enabled 
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5,10 Interrupt Causey Register 

16bit R 
0x1000 004C 

After reset, the register is loaded with a default value of 0x0000. 
This register captures the source of the general interrupt, sent to the P4. 
Bit Description 



[15 : 14] 






13 


Indirect 8 


Receive PSA ASIC {external) 


12 


Direct #0 


Receive Network Interrupt. 


11 


Direct #1 


Transmit Network Interrupt, 


10 


Direct #2 


Maintenance Bus Interrupt . 


9 


Direct #3 


L3 Interrupt . 


8 


Indirect #0 


Receive BMA ASIC (external) . 


7 


Indirect #1 


Transmit BMA ASIC (external) . 


6 


Indirect #2 


ToFab FIA ASIC (external). 


5 


Indirect #3 


FrFab FIA ASIC (external) 


4 


Indirect #4. 


PLIM Interrupt Int-0 (external) 


3 


Indirect #5 . 


PLIM Interrupt Int-1 (external) 


2 


Indirect #6a 


General Purpose Counter Interrupt 


1 


Indirect #6b 


Real-Timer Interrupt. 


0 


Indirect #7 


Error Interrupt. 




After reset, the register is loaded with a default value of OxFFFF, i.e. masking all direct and indirect interrupt 
sources. 

The register is read/write through a 16-bit operation. Software can individually enable any Interrupts by 
writing a "0" into the corresponding bits of the register. 



Bit Description 

[15:13] Reserved. 

12 Reveive PSA ASIC Interrupt Mask Bit 

11 Receive Network Interrupt Mask Bit 

10 Transmit Network Interrupt Mask Bit 

9 Maintenance Bus Interrupt Mask Bit 
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Bit 

8 


Description 

L3 Interrupt Mask Bit 


7 


Receive BMA ASIC Interrupt Mask Bit 


6 


Transmit BMA ASIC Interrupt Mask Bit 


5 


ToFab FIA ASIC Interrupt Mask Bit 


4 


FrFab FIA ASIC Interrupt Mask Bit 


3 


PLIM Interrupt-0 Mast Bit 


2 


PLIM Interrupt-1 Mask Bit 


1 


Timer Interrupt Mask Bit (masks both General Pur- 
pose and Real Time, timer interrupts 


0 


Error Interrupt Mask Bit 


11 12 ReaHime Interrupt Clear Repter 


0xiaQ0 005jC 




An 8-bit write operation to this register will clear the real-time interrupt. Data pattern Is don't care. 


5.13 Reset to Bi 




8bitiR/W 
OxioOO 0064 





After reset, the register is loaded with a default value of 0x0000. 

This register is used to send a reset to the BMA logic. A level reset signal is generated from the value 
stored In each bit. This means that each reset must be turned on and off, by setting and clearing the 
corresponding bit. 



Bit Description 

[7:2] Reserved. 

1 Rx BMA reset 

0 = No reset 

1 = Initiates a reset to the Rx BMA asic 
0 Tx BMA reset 

0 = No reset 

1 = Initiates a reset to the Tx BMA asic 



5.14 Receive Packet Done Register 

8-bit w 
0x1000 006C 
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A write operation performed on this register will clear the Fleceive Network Service Request bit of the in- 
service prefetch buffer. This in turn will set the corresponding Flush Request bit for this selected prefetch 
buffer. In order to preserve the P4's order, the flush request is queued into the Receive BMA write buffer. 
This ensures that all the previous write requests from the P4 processor will be executed before this flush 
request. 



"Si6icio^joti674 ^ ^ ^ "y^'^-^,,] ' 

A write operation performed on this register will clear the Transmit Network Service Request bit of the in- 
service prefetch buffer. This in turn will set the corresponding Flush Request bit for this prefetch buffer. In 
order to preserve the 7P4's order, the flush request is queued into the Transmit BMA write buffer. This 
ensures that all the previous write requests from the P4 processor will be executed before this flush 
request. 






This is a read-only register. Sixteen bits of information are extracted from the JTAG ID register which has 
the following format. The register Is always read as 16'h10C9. 



Bit Description 

15:12 ASIC Revision. 

11:0 ASIC Part Number. 
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5.17 Memory Configuration Register 

16-bit R/W 
0x1000 0084 

After reset, the register is loaded witfi a default value of026E, i.e. 2 clock CAS precharge, 5 clock RAS 
precharge, 4 clock WRITE tRCD, 5 clock READ tRCD, refresh rate = 15 uS. 

The values on power-up are suited for a 60ns EDO. For a 50ns EDO, this register should be programmed 
with a value of OOGE, i.e. 2 clock CAS precharge, 4 clock RAS precharge, 4 clock read and write tRCD, 
refresh rate = 15uS. The feature to increase tCP to 3 clocks is intended for lab use, and will cause 
performance degradation. In order to use this feature, tRCD must be at least 4 clocks. 

Bit Description 

15:11 Reserved. 

10 Clocks spent in CAS precharge, tCP, following an 

access. Applies to single and burst accesses. 

0: 2 clock 

1 : 3 clocks 

9:8 Clocks spent in RAS precharge (i.e RAS HI) 

00: 3 clocks 
01: 4 clocks 
10: 5 clocks 
11: 6 clocks 

7:6 Clocks spent during tRCD (i.e RAS-to-CAS) on write 

accesses 

00: 3 clocks 

01: 4 clocks 

10: 5 clocks 

11: 6 clocks 

5:4 Clocks spent during tRCD (i.e RAS-to-CAS) on read 

accesses 

00: 3 clocks 

01: 4 clocks 

10: 5 clocks 

11: 6 clocks 

3:0 DRAM Refresh Timer Value (in 

microseconds ) 

1111 - Refresh every 16 microseconds 
1110 - Refresh every 15 microseconds 
• 

000 0 - Refresh every microsecond 
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5.18 Memory Combination Register 

8-bitB/W 
0x1000 008C 

After reset, the register is ioaded with a default value of 00x1 1, i.e. Single DIMM with WMbytes 

Bit Description 

7 : 6 Reserved 

5 Niimber of DIMMs being used 

0 - Single DIMM. 

1 - Two DIMM. . 

4:0 DIMM combination must be one of 



[4:0] 


Dimm 0 


Dimm 1 


00000 


8 


8 or noth 


00001 


16 


8 


00010 


32 


8 


00011 


64 


8 


00100 


128 


8 


00101 


256 


8 


N/A 


512 


8 


00110 


16 


16 or 


00111 


32 


16 


01000 


64 


16 


01001 


128 


16 


01010 


256 


16 


01011 


512 


16 


01100 


32 


32 or 


01101 


64 


32 


OHIO 


128 


32 


01111 


256 


32 


10000 


512 


32 


10001 


64 


64 or 


10010 


128 


64 


10011 


256 


64 


10100 


512 


64 


10101 


128 


128 or 


10110 


256 


128 


10111 


512 


128 


11000 


256 


256 or 
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[4:0] Dimm 0 Dimm 1 

11001 512 256 

11010 512 512 



5.19 L3 Performance:iphaii9,nien^^^ 



8-bit R/W 7^ 
0x1000 0094, 



After reset, this register is loaded with a default value of 0x0000, i.e. all read-around-writes and prefetch 
buffers are disabled. 



Bit Description 

7 Reserved. 

6 Receive BMA Read-Around-Write Enable 

0 - Disabled 

1 - Enabled 

5 Transmit BMA Read-Around-Write Enable 

0 - Disabled 

1 - Enabled 

4 Main Memory Read-Around-Write Enable 

0 - Disabled 

1 - Enabled 

3 Enable early clear of receive net 

work interrupt 

0 - Disabled 

1 - Enabled 

2 Enable early clear of transmit network interrupt 

0 - Disabled 

1 - Enabled 
[1:0] Reserved 



5.20 Error Checking EnaWI Rejgistfer 



8-bit R/W 
0x1 000 0090, 



After reset, this register is loaded with a default value of 0x00, i.e. all checking is disabled. 
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Bit Description 

[7:5] Reserved. 

4 P4 Timeout Error Checking 

0 - Disable P4 timeout checking on 
reads taking place on the P4 bus 

1 - Enable P4 timeout checking on 
reads taking place on the P4 bus 

3 Main Memory Parity Checking & ECC Bus Error Enable 

0 - Disable write data parity check by P4 for main mem- 
ory data. Also Disables Bus Error during reads that 
show a multibit ECC error 

1 - Enable read/write parity check by P4 for main memory 
data. Also enables Bus Errors on reads that have multi- 
bit ECC errors in them. 

2 Receive BMA Error Checking 

0 - Disable error check on the receivte BMA bus inter- 
face 

1 - Enable error check on the recesive BMA bus interface 
1 Transmit BMA Error Checking 

0 - Disable error check on the transmit BMA bus inter- 
face 

1 - Enable error check on the transmit BMA bus interface 
0 I/O Checking Enable 

0 - Disable illegal Address/Data 
width checking on I/O interface 

1 - Enable illegal Address /Data 
width checking on I/O interface 



5.21 Receive BMA Bu§ Error Stitu^ 

After reset, this register is ioaded witli a default value of 0x00, I.e. no error has been detected. 

When a Receive BMA bus error occurs during an access, a corresponding bit will be set in this register. If 
the error had been due to a write operation (as indicated by bit[6] being set), an interrupt to the P4 
processor will be generated. If the error had been due to a read operation, a bus-error will be returned to 
P4. A read from this register will clear all the bits. For all bits, a "1" value indicates an Error of the 
corresponding type has occurred. 



Bit Description 
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Bit Description 

10 Receive BMA Interrupt errors: Logical OR of bits 

[7] , [6] , [5] , [2] , [1] and [0] . 

9 Receive BMA Non-interrupt errors: Logical OR of 

bits [8] , [4] and [3] , 

8 Timeout error on BMA bus, during Read 

7 Timeout error on BMA bus, during Packet prefetch 

6 Timeout error on BMA bus, durng Write dispatch 

5 Timeout error on BMA bus, during Packet flush. 

4 Bus Read Parity Error 

3 Packet service (read from prefetched packet) 
parity error 

2 Packet prefetch from Receive BMA, parity error 

1 Write dispatich parity error 

0 Packet Flush parity error 



After reset, this register is loaded witti a default value of 0x00, i.e. no error has been detected. 

When a Transmit BMA bus error occurs during an access, a corresponding bit will be set in this register. If 
the error had been due to a write operation (as Indicated by bit[6] being set), an interrupt to the P4 
processor will be generated, if the error had been due to a read operation, a bus-error will be returned to 
P4. A read from this register will clear all the bits. For all bits, a "1" value indicates an Error of the 
corresponding type has occurred. 



Bit Description 

10 Transmit BMA Interrupt errors: Logical OR of bits 

[7] , [6] . [5] , [2] , [1] and [0] . 

9 Transmit BMA Non-interrupt errors: Logical OR of 

bits [8] , [4] and [3] . 

8 Timeout error on BMA bus, during 

Read 

7 Timeout error on BMA bus, during 

Packet prefetch 

6 Timeout error on BMA bus, durng Write dispatch 

5 Timeout error on BMA bus, diaring Packet flush. 

4 Bus Read Parity Error 

3 Packet service {read from 



prefetched packet) parity error 
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Bit Description 

2 Packet prefetch from Receive BMA, 

parity error 

1 Write dispatich parity error 

0 Packet Flush parity error 



5.23 PR|ij||rbr Status Register 

After reset this register is loaded witii a default value of 0x00, i.e. no error has been detected. 

When a DRAM error occurs during an access, a corresponding bit will be set in this register. If the error 
had been due to a write operation (as indicated by bit[4] being set), an interrupt to the P4 processor will be 
generated. If the error had been due to a read operation, a bus-error will be returned to P4. A read from 
this register will clear all the bits. 

A special note about partial writes: P4 partial writes are handled as read-modify-write operations in 
Salsa4. Should an uncorrectable ECC error (MBE) occur during this operation, the write is aborted and 
both write and read error bits are set. This register's value becomes 33 during that time. 

Bit Description 

[7:6] Reserved 

5 DRAM Read Error (OR condition of bits [0] and [3] , 

shown below) 

0 - No error 

1 - Error 

4 DRAM Write Error (OR condition of bits [1-2], shown 

below) 

0 - No error 

1 - Error 

3 . DRAM Read Address Error 

0 - No Error 

1 - Read address is out-of-bounds for current memory 
combination specified in Memory Combination Regis- 
ter , page 2 9 

2 DRAM Write Address Error 

0 - No Error 

1 - Write address is out-of-bounds for current memory 
combination specified in Memory Combination Regis- 
ter, page 2 9 

1 DRAM Write Parity Error 

0 - No Error 
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Bit Description 

1 - Error 

0 DRAM Read ECC Single/Multibit Error. 

0 - No error 

1 - Either a multibit or single bit error has occurred 



5.24 One-card 1/0 Bus Error Status Register 

OxtOOO OOBC 
8-bit R 



After reset, this register is loaded with a default value of 0x00, i.e. no error has been detected. 
When an I/O bus error occurs during an access, a corresponding bit will be set In this register. If the error 
had been due to a write operation (as indicated by bit[4] being set), an interrupt to the P4 processor will be 
generated, if the error had been due to a read operation, a bus-error will be returned to P4. A read from 
this register will clear all the bits. 

Bit Description 

[7:6] Reserved. 

5 I/O Bus Read Error (OR Condition of bits [1] and [3], 

shown below) 

0 - No error 

1 - Error 

4 I/O Bus Write Error {OR Condition of bits [0] and [2], 

shown below) 

0 - No error 

1 - Error 

3 Line-card I/O Bus Read Time-Out Error. 

0 - No error 

1 - A bus timeout occurred before io_rdy_l was 
asserted 

2 Line-card I/O Bus Write Time-Out Error. 

0 - No error 

1 - A bus timeout occurred before io_rdy_l was 
asserted 

1 Illegal Line-card I/O Read Accessing Error 

0 - No error 

1 - An invalid read operation is attempted by P4 . 
Please see the summary of illegal I/O bus operatons 
listed in Chapter 3 of the BFR Quad 0C3 Linecard spec. 
(ENG-7439) . 
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Bit Description 

0 Illegal Line-card I/O Write Accessing Error 

0 - No error 

1 - An invalid write operation is attempted by P4 . 
Please see the suiranary of 



5.25 DRAM Ca^||rophic 


; EriiirriA0j|rf||s Register 




px1Q00 00C4 






32-bit R ■ 







After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 



This register captures the 32bit address at the first occurrence of any error (since its last reading) of 
the "DRAM Error Status Register" on page 33, except for SBE's. A separate address register for 
single-bit-errors can be found in "ECC SBE Address Register" on page 52. 

Bit Description 

[31:0] Address Bits [31:0] 



5.2S Recgl%BM^^J^ 

AiXer reset, the register is cleared, i.e. being loaded with a default value of 0x00. 
This register will capture 32 bits of the address at which the error occured 

Bit Description 

[31:0] Address Bits [31:0] 



5.27 Transmit BMi^^ailt^s^ExceR^^^ ; 
0x1000 00D4 ; ;; ; 

32-bit R ' \ ' \^ \, L', 'J^ 

After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 

This register will capture 32 bits of the address at which the error occured. 
Bit Description 

[31:0] Address Bits [31:0] 
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5,28 I/O Address Exception Register 

0x1000 OODC 
32-bit R 

After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 
This register will capture the 32 bits of the address at which the error occured. 

Bit Description 

[31:0] Address Bits [31:0] 



|fiK29 13 Interrupt Sta 


tu^3||fit|jltl0r1(' 




||Sss}&SiOx1.000=<K)E4 






^tm>^' -S-bitR - ," 







This register further breaks down the cause of the L3 Error Interrupt bit, bit 0[, in "Interrupt Cause Register" 
on page 25. All causes listed here are fronn internal L3 Error checking and timer logic. 



Bit 


Description 


[7:5] 


Reserved 


4 


rx_bma_e r r o r_i n t 


3 


tx__bma_e r r o r_i n t 


2 


drain_error_int 


1 


io_error_int 


0 


General Purpose or Real-Time timers liave expired 


;J|^0 Receive BR^ Register " : 


- , 0il60d00F4 


After reset, the value of this register is all zeros. 



Only bit[4] of this register is write accessible. Any upper bits are ignored during a P4 write operation. 

Bit Description 

15:11 Reserved 
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Bit Description 

10 Copy of THB bit from BHDR 

9 0 - Packet passed length check 

1 - Error: Packet failed length check 

8 0 - Packet is IPv4, no options 

1 - Error: This is not a ''fast-path" packet 

7 0 - Protocol identifier in MAC matches matches 

expected value 

1 - Error: Unknown protocol identifier in MAC 

6 0 - Prior to decrement TTL value was larger than 1 

1 - Error: Packet TTL is 1 or 0 

5 0 - Checksum validation passed 

1 - Error: Incorrect checksum detected 

4 0 - Disable hardware generated TTL and Checksum 

updates when flushing the current packet 
1 - Okay to use hardware generated TTL and Checksum 
when flushing the current packet 

Note, this disable automatically clears with each new 
packet . 

3 A sampling of the MTRIE lookup enable bit in register 

''Receive BMA Hardware Assist Register" on page 37, at 
the time the lookup starts . 

2 0 - No out-of -range error during lookup reads 

1 - Error: Encountered an out-of -range read address 
during lookup read 

1 0 - No parity error 

1 - Error: A parity mismatch occurred during MTRIE 
lookup 

0 0 - MTRIE lookup completed successfully 

1 - Error: Could not complete MTRIE lookup because no 
leaf was found after using all octets of IP destina- 
tion address 



5.31 Repeive BMA HardwiSre Assist Register "^T: ^ ^ 

5-Bit R/w ^:.^:v^ 4t7;/^'!' ^ - ^ 

After reset, this register contains the value 04. 

This register enables/disables MTRIE lookup and/or hardware TTL decrement and Checksum updates for 
all packets. Please note that bit[4] of the "Receive BMA Packet Synopsis Register" disables only on a per- 
packet basis whereas blt[0] here, disables TTL and checksum updates for all packets. 

Bit Description 

7:3 Reserved 



Cisco Systems, Inc. 



Page 37 of 66 



1 1 January, 2000 



Salsa4 ASIC: Hardware Specification: ENG-31 157, Rev. 0.2 



Bit Description 

0 - Disable 

1 ~ Enable 64 byte reversed prefetch from BMA. 

The value of Bit[l] is ignored if this bit is 0, 
and MTRIE lookup is disabled. 

0 - Disable 

1 - Enable MTRIE lookup by hardware 

0 - Disable 

1 - Enable hardware TTL decrement and Checksum recal- 
culation 



1 5.32 Receive^^^^^ Inlirmatidn Register 



After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 

For this buffer there are two associated flags: the Valid Service Request bit and the Flush Request bit. The 
Valid Service Request bit is set when a buffer is completely filled with the prefetched packet information 
from the corresponding BMA logic and ready to be processed by the P4 processor. The Flush Request bit 
of a buffer is set when the microcode is done with the currently selected buffer and wants to have its of 
data flushed back to the corresponding BMA logic. A buffer is available only when its associated Valid 
Service Request and Flush Request flags are not set, i.e. "0". 

Bit Description 



[7] Reserved. 

[6:53 Prefetch Buffer Selector 

00 = Buffer#0 is currently being selected for 
prefetching. 

01 = Buffer#l is currently being selected for 
prefetching . 

10 = Buffer#2 is currently being selected for 
prefetching . 

11 = No buffer is selected for prefetching, (equiva- 
lent to having the prefetching buffers disabled. 



4 Valid Service Request flag for Buffer#2 

0 - No service needed 

1 - Has packet information data^ needs service 
3 Valid Service Request flag for Buffer#l 

0 - No service needed 

1 - Has packet information data, needs service 
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Description 

Valid Service Request flag for Buffer#0 

0 - No service needed 

1 - Has packet information data, needs service 
In-service Buffer Selector 

00 = Buffer#0 is currently being selected for in-ser- 
vice process. 

01 = Buffer#l is currently beinc^ selected for in-ser- 
vice process. 

10 = Buffer#2 is currently being selected for in-ser- 
vice process. 

11 = No buffer is selected for in-service. Note: When 
the selector is set to "11", i.e. no buffer is 
selected for in-service, it is equivalent to 
having the in-service buffers disabled 

The Received Network Interrupt is asserted wiien any of the Valid Service Request flags are set. The 
Valid Service Request flag for the selected In-service buffer will be cleared when the P4 writes to the 
Packet Done register. 



After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 

Bit Description 
[7:53 Reserved. 
[4:3] Flush Buffer Selector 

00 = Buffer#0 is currently being selected for flush- 
ing. 

01 = Buffer#l is currently being selected for flush- 
ing. 

10 = Buffer#2 is currently being selected for flush- 
ing, 

11 = No buffer is selected for flushing, 
2 Flush Request flag for Flush Buffer #2. 

0 = Inactive 

1 = Has data, needs to be flushed back to the 
received BMA logic . 

1 Flush Request Bit for Prefetch Buffer #1. 

0 = Inactive 



Bit 

2 

[1:03 
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Bit Description 

1 = Has data, needs to be flushed back to the 
received BMA logic. 

0 Flush Service Request Bit for Prefetch Buffer #0 . 

0 = Inactive 



5.34 Transmit BMA Buffer Service lnform|tj0fl^ 

8-bltR 

0x10000114 V ' 



After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 



Bit Description 

[7] Resezrved, 

[6:5] Prefetch Buffer Selector 

0 0 = Buffer#0 is currently being selected for 



prefetching . 

01 = Buffer#l is currently being selected for 
prefetching . 

10 = Buffer#2 is currently being selected for 
prefetching . 

11 = No buffer is selected for prefetching., equiva- 
lent to having the prefetching buffers disabled. 

4 Valid Service Request flag for Buffer#2 

0 - No service needed 

1 - Has packet information data, needs service 
3 Valid Service Request flag for Buffer#l 

0 - No service needed 

1 - Has packet information data, needs service 
2 Valid Service Request flag for Buffer#0 

0 - No service needed 

1 - Has packet inf ooonation data, needs service 
[1:03 In-service Buffer Selector 

0 0 - Buffer#0 is currently being selected for in-ser- 
vice process. 

01 ~ Buffer#l is currently being selected for in-ser- 
vice process - 

10 ~ Buffer#2 is currently being selected for in-ser- 
vice process . 
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Bit Description 

11 = No buffer is selected for in-service. When the 
selector is set to ''11", i.e. no buffer is selected 
for in-service, it is equivalent to having the in-ser- 
vice buffers disabled. 

The Transmitted Network Interrupt is asserted when any of the Valid Service Request flags are set. The 
Valid Service Request flag for the selected In-service buffer will be cleared when the P4 writes to the Packet 
Done register. 



5.35. Transmit BM A Buffer FI|ipM^ Register . 


After reset, the register is cleared, i.e. being loaded with a default value of 0x00. 




Bit 


Description 






[7:5] 


Reserved. 






[4:3] 


Flush Buffer Selector 








00 - Buffer#0 is currently being selected 


for 


flush- 




ing. 








01 = Buffer#l is currently being selected 


for 


flush- 




ing . 








10 = Buffer#2 is currently being selected 


for 


flush- 




ing . 








11 = No buffer is selected for flushing. 







2 Flush Request flag for Flush Buffer #2 . 

0 = Inactive 

1 = Has data, needs to be flushed back to the transmit 
BMA logic. 

1 Flush Request Bit for Prefetch Buffer #1. 

0 = Inactive 

1 = Has data, needs to be flushed back to the transmit 
BMA logic . 

0 Flush Service Request Bit for Prefetch Buffer #0. 

0 = Inactive 

1 = Has data, needs to be flushed back to the transmit 
BMA logic. 
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5-36 Recelye BMA Packet Updated Info Register 

32 bit R 
0x100010124 

After reset the contents of this register are indeternninate. After an Rx packet service request is issued, this 
register wiii hold values relevant to the current packet being pointed to in the "Receive BMA Buffer Service 
Information Register" on page 38. 

Bit Description 

31:24 Updated Time- to-live 

23:16 Reserved 

15:0 Updated header checksum 



Sjp Receive BMA Protocol 0 Identifier Register 

0x1000 0120 



After reset, the register has an indeterminate value. 

This register contains the value of a protocol identifier that is compared against bits [31:0] of the MAC 
header field in the Receive Packet Window. 

Bit Description 

31:0 The value to check for, in the prefetched packet's MAC 

header . 



5.38 Receive BMA Rrotocdl l Identifier Register 

32blt R/W 
0x1000 0134 

After reset, the register has an indeterminate value. 

This register contains the value of a protocol identifier that is compared against bits [31 :0] of the MAC 
header field in the Receive Packet Window. 

Bit Description 

31:0 The value to check for, in the prefetched packet's MAC 

header . 
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5.39 Receive BMk Protocol 2 Identifier Register 

32bit R/W 
0xi000 013C 

After reset, the register has an indeterminate value. 

This register contains the value of a protocol identifier that is compared against bits [31 :0] of the MAC 
header field in the Receive Packet Window. 

Bit Description 

31:0 The value to check for, in the prefetched packet's MAC 



This register contains the value of a protocol Identifier that is compared against bits [31:0] of the MAC 
header field in the Receive Packet Window. 



header . 




After reset, the register has an indeterminate value. 



Bit 



Description 

The value to check for, in the prefetched packet's MAC 
header . 



31:0 



5.41 F(B RoStfl^ister ; ; ; V ^ 



32bit R/W 
0x1 000 01 4G 





After reset the register has an Indeterminate value. 



This register is the Base Address for all MTRIE lookups. 



Bit 



Description 



31:24 



Reserved. 



23:0 



FIB Root address 
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5.42 Leaf Pointer Register 

32bitB 
0x1000 0154 

After reset the value of this register is ail zeros. 

This register holds one of two values. For a successful MTRIE lookup with all checks passed, the value in 
this register is the leaf pointer for the current packet in service. The checks are: 

1. THB-0 

2. Packet Length check passed 

3. Packet is IPv4 with no-options 

4. Identifiable protocol field in encapsulation MAC header 

5. TTL is larger than 1 

6. Checksum validation 

7. MTRIE lookup was enabled at the time of lookup 

8. No parity errors during lookup 

9. A leaf was found within 3 lookup attempts. 

If any of the checks fail, the value in this register Is all zeros. 
Bit Description 

31:1 bits [31:1] of the leaf pointer read from MTRIE lookup 



This is the last read value from MTRIE lookup, before the packet was given for service to the P4. If no 
errors occurred during hardware assist, this register will contain the Leaf pointer, equivalent to the "Leaf 
Pointer Register", above. 



or all zeros 



0 



Always zero 




After reset the value of this register is all zeros. 



Bit 



Description 



31:0 



bits [31:1] of the last read from MTRIE lookup 



,5.44 Porto ACL Tree Base Register 

32bit R/W 
; 0x1000 0164 
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5.45 Porti ACL Tree Base Register 

32bit B/W 
0x1000 01 6C 



5.46 Port2 ACL Tree Base Register 

32bit R/W 
0x1000 0174 



5.47 Porta ACL Tree Base flegfster 

32bit R/W 
« 0x1000 017C ....... ; 



IISi48 PoM ACL Tree Base: Register 

, 32bit R/W , 
0x1000 0184 _ 



5.4^ Ports ACL Tree Base Rei 


gister*-- ^ •■• , 


32bitR/W 




• bxio6o bi8C , ; 





WO Ports: ACL Tree Base Re§rster#&^^^^H 

32bitR/W 



53^ Port? ACL Tree Base Register:^ T ; ll^i 

OxtOOO 019C ^ ^ ^ ^ \. . ' 'rl 



After reset the value of the above 8 registers will be zeros 
Bit Description 

31:21 Contains the 13 bit based address of the ACL tree of 

that port 

19:0 Reserved read as zeros 
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5.52 AGL Ingine Config Register 



16bit R/W 
0x10b601A4 



After reset the value of this register is all zeros 



Bit Description 

15:2 Reserved — read as zeros 

1 Port-info location in packet 

0 - port information is located in bits [25:24] of 

word [5] of the BHDR 

1 - port information is located in bits [8:6] of the 

4byte POS-liJce MAC header 

0 ACL Engine enable 

0 - ACL engine is disabled 

1 - ACL engine is enabled 



5 J3 CurrtiJlGL Node Hl^^^^ ; , , ^ 

After reset the value of this register is all zeros. 

Bit Description 

31:0 Bits [63:32] of the most recently read ACL node 



5.54 eurr||t AGL Ndjif ^ if^S; Register 



€xiooo oie4 ; 



After reset the value of this register Is all zeros. 

Bit Description 

31:0 Bits [31:0] of the most recently read ACL node 



5.55 Currehf ACL Hash Key Register 



IpbjtR 
OxIdOOOIBC 
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After reset the value of this register is all zeros. 



Bit Description 

15:10 Reserved; Read as zeros 

9:0 The value of the key used in the most recent ACL Hash 

table lookup 



■gSiS ACL ingine S 


tat|is|i! Register 


^^^-^^0iooo Q1C4; 





After reset the value of this register is all zeros. 



Bit Description 

31:4 Bits copied from the operand field of the STOP node 

3 Permit/Deny bit. This bit is also copied off bit [3] of 

the operand field of the STOP node. 

0 - Permit 

1 - Deny 

2 ACL Engine out-of-range address error 

0 - No error 

1 - An out-of -range DRAM address error has been 

encountered. See the ''DRAM Catastrophic Error 
Address Register" for the offending address 

1 ACL Engine uncorrected ECC error 

0 - No error 

1 - The ACL engine encountered a uncorrectable ECC 

error during a DRAM read. See the ''DRAM Cata- 
strophic Error Address Register" for address 
information 

0 ACL Engine maxed out error 

0 - The ACL engine completed successfully. 

1 - The ACL engine did NOT reach a permit /deny node at 

the end of the maximum number of lookups 

Bits [3:0] of this register are all zeros for a packet that has completed ACL lookup and is permitted. 

5.57 ACL^te Key LO Selection Register 

3?bjtRiw 

After reset the value of this register Is 32'hOOOOOOOO. 
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Bit Description 

31:24 Selection bits for bit [3] of the hash key. 

22:16 Selection bits for bit [2] of the hash key. 

15:8 Selection bits for bit[l] of the hash key. 

7:0 Selection bits for bit[0] of the hash key. 



These selection bits are used to construct the hashkey, one bit at a time. Each byte selects one of the 256 
bits in the 32bytes immediately following the BHDR. 

5.58 ACL Hash Key MID SeteetlcKn Register 

16bitR/W V 
0x1000 0104 



After reset the value of this register is 32'hOOOO. 



Bit Description 

31:24 Selection bits for bit [7] of the hash key. 

22:16 Selection bits for bit [6] of the hash key. 

15:8 Selection bits for bit [5] of the hash key. 

7:0 Selection bits for bit [4] of the hash key. 



These selection bits are used to construct the hashkey, one bit at a time. Each byte selects one of the 256 
bits in the 32bytes immediately following the BHDR. 



5.59 ACL Hash Key HI Selection Register 
i6bitR/w ; 

0x1000 01 DC ; 



After reset the value of this register is 16'h0000. 

Bit Description 

15:8 Selection bits for bit [9] of the hash key. 

7:0 Selection bits for bit [8] of the hash key. 

These selection bits are used to construct the hashkey, one bit at a time. Each byte selects one of the 256 
bits in the 32bytes immediately following the BHDR, 



5.60 ACL Compare Mask 0 Register 

32bit R/W 
0x1000 01 E4 
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5.61 ACL Compare Mask 1 Register 

32bit R/W 
0x1000 01 EC 



5.62 ACL Compare WlasK 2 Register 

32bitR/W V 1=4 

0x1000 01 F4 : ■ 



5,63 ACL Compare Mask 3 Register 

... 32bit.R/W , ,.r:.,.r;: r^f ■ ^ 
; 0x(i[,O0OiOl FC. . ■■ ■'« -■f*i='=*«t.^iSp ' 



;vfe5 


.fiMCLCompa 

l32bitR/W 


,:::T Z::: 'i:':'2 ' . 




v;;;;;oxj'op6;pc»4., ,, 





5.05 'ACL d'ompsfililill 



5.66 ACL Gomf^;^i%::| 

32bit R/W ; ' ■ * 


i&6:f||tfe|:r; ^ """"" 


0x1000 0214^ : 






5.6l ACL Compare Masl< 

32bit R/W . 


: 8 Register 


s HQKI 000 0224 





5,f IdfCL Compare MmH I^Pe^isMI 

32bitR/W 

0X1000 022G ^ ; 



After reset the vaiue of this register is all zeros. 
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Bit Description 

31:0 32 bit mask set used during the comparison of ACL 

Nodes. Each bit value of 1 masks the compare of the 
corresponding bit in the ACL node OPERAND field. 



5J0 ACL ^ax Nodes Register 



16bitRAW 
0x1000 0234 



After reset the value of this register is 0. 

Bit Description 

15:10 Reserved. Read as zeros 

5:0 Maximum number of ACL node lookups, before the packet 

is handed over to software, for completion. 

As a special note for TTM projects, the following calculations suggest a value to program to this register: 

TTM linecard TX rate 650Kpps 

Salsa engine max performance 850Kpps 

Max per-packet delay that can be tolerated by Salsa 

engine, before it becomes the bottleneck 5000ns 

Each ACL lookup takes 16 0ns (includes DRAM precharge) 

Max Number of ACL lookups within this time 32 



; 5 Jl ACL durrent Count Regis 
;oxioO(fcqg3G 



After reset the value of this register is 0. 

Bit Description 

15:10 Reserved. Read as zeros 

9:0 The actual number of ACL node lookups, before the cur- 

rent packet was passed on to software 
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5J2 ECC Status Register 




16bitR 
0x1000 0^44 




" After reset the value of this register is 0. 




Bit Description 




15:2 Reserved. Read as zeros 




1 Single-bit error on read 

0 - No error 

1 - Error occurred 




0 Multiple-bit error on read 

0 - No error 

1 - Error occurred 




All error status bits in this register clear upon read. 




^0 ECG Diagni^ic Syndrome Regi^er ; : : 








After reset the value of this register is 0. 




Bit Description 




7:0 Provides direct write access to syndrome register. 

contents of this register will be written to DRAM 
bit [1] of the '^ECC Config Register" has been set 


The 
if 


5Ji* ECC Config Register 




'[ ^8bitR/W ^ ^ ^ 'CI '^^'^ 
. ^^^0x1000^^0254^ ^ ^ ^ 




After reset the value of this register is 8'b0000„0101 . 



Bit Description 

7:3 Reserved. Read as zeros 
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Bit Description 

single bit error correction 

0 - Disabled 

1 - Enabled 

Single bit error notification 

0 - Single bit read errors will be silently corrected 

and forwared to the processor 

1 - Single bit read errors will cause an interrupt. 

Errors will be corrected as data is forwarded to 
the processor 

Use hardware-generated syndrome 

0 - The value in the "ECC Diagnostic Syndrome Regis- 

ter" is used during DRAM writes. This is NOT the 
normal mode of operation, and should only be used 
during diagnostic testing. 

1 - A hardware-generated syndrome is used for writes 

to DRAM. 



0x1000 &25C 



After reset the value of this register is all zeros. 

Bit Description 

31:0 Contains the address of the first SEE since the "ECC 

Status Register" was last read. 



^76 Ej^ |ap ^ftlrome fll^ 



8bit R ^ - 
0x1000 6264 



After reset the value of this register is all zeros. 

Bit Description 

7:0 Contains the syndrome of the first SBE since the ''ECC 

status Register" was last read. 
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5 J7 ECC MBE Syndrome Register 

8bit R 

0x1000 026c 



After reset the value of this register is all zeros. 



Bit Descriptioni 

7:0 Contains the syndrome of the first MBE since the "ECC 

Status Register" was last read. 



Cisco Systems, Inc. 



Page 53 of 66 



1 1 January, 2000 



Salsa4 ASIC: Hardware Specification: ENG-31 157, Rev. 0.2 



Appendix A Perl program used to choose a 
hashing key. 

To better understand this problem, a Perl program v/as written to calculate the number of checks a 
packet would encounter based on the hash key generated from its fields. The input to the perl 
program is a customer ACL. The results after this program are based on a smaller hash size of 
256buckets, and was based on a 315 entry ACL from AOL. 

# ! / sw/current/hppabin/perl5 

################################################################# 



# # 

# acl2tree.p A perl5 program to traverse an ACL and determine # 

# what the worst delays would be for a hardware # 

# tree lookup algorithm. # 

# acl2tree-p <ACL file> # 

# # 



##########################################tt###################### 



# get the options handling package, 
require ''getopts ,pl" ; 

# define the options that we expect. 
ScGetopts ( 'v' ) ; 

# check that the options that we need have been set . 
if ($#ARGV < 0) { 

print " 

ACL2TREE.P A perlS program to traverse an ACL and determine what the 

worst delays would be for a hardware tree lookup algorithm. 
acl2tree.p -v <ACL file>, where 
-V Produce verbose output 

\n"; 
exit 1; 
} 



use POSIX; 

%hoprot = ( 
udp => 17, 
tcp => 6, 
ip => 4, 
ipinip => 4, 
icmp => 1, 
igrp -> 9, 
gre => 47, 
igmp => 2 , 
nos 94, 
ospf => 89, 
) ; 

%holabels = ( 
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bgp => 179, 

biff => 512, 

bootpc => 68, 

bootps => 67, 

chargen => 19, 

cmd => 514, 

daytime => 13, 

discard => 9, 

dnsix => 195, 

domain => 53 , 

echo => 7, 

"echo -reply" => 8, 

exec => 512, 

finger => 79 , 

ftp => 21, 

"ftp-data" => 20, 

gopher => 70, 

hostname => 101 , 

ident 113, 

ire => 194, 

klogin -> 543, 

kshell => 544, 

log => 513, 

login => 513, 

Ipd => 515, 

mobile-ip => 434, 

nameserver => 42, 

"netbios-dgm" => 138, 

"netbios-ns" => 137, 

ntp => 118, 

nntp => 119, 

^'packet-too-big" => 32, 

pop2 => 109, 

pop3 => 110, 

rip => 520, 

smtp => 25, 

snmp 26, 

snmptrap => 27, 

sunrpc => 111, 

syslog => 514, 

tacacs => 49, 

talk => 517, 

telnet => 23, 

tftp => 221, 

time => 37, 

UUCP -> 54 0, 

whois => 43, 

www => 80, 

xdmcp => 177, 

) ; 



##################################################################### 
# Initializations # 
##################################################################### 



$hwc hecks = 2 ; 
$filename = $ARGV[03 ; 
$nbits = 88; 
$bmax = 88; 
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$binin = 88; 

$bind = 16; 

$outbits = 12; 

$endhash = (2 * *$outbits ) ; 

for ($i=0; $i < $nbits; $i++) { 

$min[$i] = $i; 

$max[$i] = 0; 

$2erocount [$i] = 0; 

$onecount [ $i] = 0; 

$outstr[$i] = '0'; 



########################## 

# Count the 0 and 1 occurrences of each of the 88 bits # 

# by parsing file once # 

########################## 

open (ACLFILE, $ARGV[0]) or die; 

while {<ACLFILE>} { 

if {$_ i- /"[ ] *access-list/) { 
tsilently ignore line 
next ; 
} 

elsif {l(/udp/ II /tcp/ II /ip/ II /icmp/ || /igrp/ || /gre/ || 
/igmp/ I I /nos/ | | /ospf/) ) { 
print (''ERROR: Unknown protocol type in next line ! \n$_\n" ) ; 
die ; 

} 

#implicit else condition is to continue. . 
chop ; 

©aclarr = parse__current_line ( $_) ; 



# Hari ' s code . . . 

# cycle from 0 to nbits and update zero/one counts based on (0,1, x) 

# also keep track of min/max of zero/one counts 
for ($i = 0; $i < $nbits; $i++) { 

if {$aclarr[$i] eq 'x'){ 

$zerocount [$i] ++; 

$onecount [ $i ] ++ ; 
} elsif ($aclarr[$i] eq '0'){ 

$2erocount [$i] ++; 
} elsif ($aclarr[$i] eq 'l'){ 

$onecount [$i] ++; 
} else { 

print ( "hash_min_max: Unknown character aclarr[$i] = $aclarr [$i] \n" ) ; 
die; 

} 

$min[$i] = ( $zerocount [ $i] < $onecount [ $i ] ) ? 

$zerocount [ $i] : $onecount [ $i ] ; 
$inax[$i] = {$zerocount [$i] > $onecount [ $i] ) ? 

$zerocount [$i] : $onecount [$i] ; 

} 

} 



##################################################################### 
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# Determine which bits occurred as 0 and 1 most evenly. These are # 

# good candidates for the key. (Hari's code) # 
##################################################################### 

# Select best bits with min/max values 
for ($i = 0; $i < $nbits; $i-t-+) { 

# 

# concatenate bitstrings { 16 bits) of max, min, index 

# sort them and then use index to set the outstr bits correctly 
# 

$fixmax = substr ( (unpack ( '"B* " , packC'n", $max[$i] ) ) } , -$bind, $bind) ; 
$fixmin = subs tr ( {unpack ( "B*" , pack("n", $min[$i] ) ) ) , -$bind, $bind) ; 
$fixind = substr ( (unpack ( "B*" , pack("n'', $i))), -$bind, $bind) ; 
$presort[$i] = $f ixmax. $f ixmin. $f ixind; 
print(''for max-$max[$i] , min=$min[$i3 and i=$i: $presort [ $i] \n" ) ; 
print (" where, fixmax = $fixmax, f ixmin=$f ixminXn'' } ; 

} 

@postsort = sort (^presort) ; 
# 

# get index from post sorted array and set those bits to 1 in outstr 
# 

for {$i=0; $i < $outbits; $i++) { 

$bitpos ~ bintodec ( substr ($postsort [ $i] , -$bind, $bind) ) ; 
$outstr [$bitpos] = '1'; 

} 

# print min/max results 
# 

foreach $w (@outstr) { 

$bitmask = $bitmask.$w; 

} 

print ("Selected bitmask=$bitmask\n" ) ; 



# Extra prints that can be put under verbose 
# 

if ($opt_v) { 

print ("\nMin="); 
for {$i=0; $i < $nbits; $i++) { 
print { ''$i=$min[$i] "); 
} 

print ( " \aMax== " } ; 

for ($i=0; $i < $nbits; $i++) { 

print ( ''$i=$max[$i] "); 

} 

print { " \nOnecount= " ) ; 

for ($i=0; $i < $nbits; $i++) { 

print ( "$i=$onecount [ $i] ) ; 

} 

print ( "\nZerocount=" ) ; 

for ($i-0; $i < $nbits; $i++) { 

print ( ''$i=$zerocount [$1] ") ; 

} 

print ( " \n" ) ; 
} 



###################################################################### 
# Using the 8 selected bits, form a key for each ACL entry that # 
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# defines where in the hash table to add that entry # 
###################################################################### 

close (ACLFILE) ; 

open {ACLFILE, $ARGV[0] ) or die; 

while {<ACLFILE>) { 

if {$_ !~ /"[ ]*access-list/) { 
#silently ignore line 
next ; 
} 

#implicit else condition is to continue. . 
chop ; 

©aclarr ~ &parse_current_line ( $_) ; 
$dongle = 

for ($i=0; $i<$nbits; $i++) { 
if ($outstr [$i] ) { 

$dongle = $aclarr [ $i ] . $dongle ; 
} 

} 

##########################################«########################## 

# walk thru the hash table, incrementing bins that fits the key # 
##################################################################### 

#cycle from 0 theu 255, and see what fits the dongle mask 

for ($i =0; $i < $endhash; $i++) { 

$bini = subs tr ( {unpack ( "B* / pack{"n", $i) ) ) , -$outbits, $outbits); 
$f its_into_mask - 1; 
@aobini - split { / / , $bini ) ; 
©aodongle = split (//, $dongle} ; 
for {$j = 0; $j <$outbits; { 

if ( ($aobini [$ j ] ne $aodongle [ $ j ] ) &■& { $aodongle [ $ j ] ne 'x')) { 
$f its_into_mask = 0; 
} 

} 

if { $f its_into_mask =-1) { 

$aoacls[$i] = $aoacls[$i] + $hwchecks; 
} 

} 



################################################################# 
# Print out the hash table, and each bin's total checks # 

################################################################# 

$max = 0; $min = 99999; $total = 0; $rows = ( $endhash/8 ) ; 
for {$i = 0; $i < {$rows-l}; $i++) { 
$- = *REP0RT2 ' ; 
if {$opt_v) { 
write; 
} 

for {$j = 0; $j < 8; { 

$max = ($aoacls [$i*8+$ j ] > $max) ? $aoacls [ $i*8+$ j ] : $max; 
$inin = ($aoacls [$i*8+$ j ] < $min) ? $aoacls [$i*8+$ j ] : $min; 
$total = $total + $aoacls [$i*8+$ j ] ; 
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} 

} 

$average = $ total /$endhash; 

print {"ACL2TREE ran on $f ilename\n" ) ; 

print ''Maximum checks: $max\nMinimuin checks: $inin\nAverage checks : $average\n" ; 



################################################################# 
# Formats for various screen dumps # 
################################################################# 

format STDOUT_TOP = 

SourceAddr DestAddr Proto . Port StartPort Key- 



format STDOUT = 

@<<«<<<«<<« ©«<«<<«<<« @«<«< @«<«< @<<«<« @«<<<«<<< 

$fullsa, $fullda, $protocol , $porttype, $startport , $dongle 



format REP0RT2 = 

%»>:%«< @>>>:@<« @»>:@«< @>»:@<« @»>:@«< ©>»:©«< @>>>:@«< @>»:@«< 
($i*8 + 0), $aoacls[$i*8+03 , {$i*8+l) , $aoacls [ $i*8+l] , { $i*8+2 ) , 
$aoacls [$i*8+2] , {$i*8+3) , $aoacls [ $i*8+3 ] , ($i*8+4) , $aoacls [ $i*8+4 3 , ($i*8+5) , 
$aoacls[$i*8+5] , {$i*8+6) , $aoacls [$i*8+6] , ($i*8+7) , $aoacls [ $i*8+7 ] 



################################################################# 
# Function definitions # 
################################################################# 



# function to calculate start port 

sub calc_start_port { 
local ($port) = @_; 
if {!$port) { 

r e turn " any " ; 

} 

elsif ( isdigit ($port } ) { 
return $port; 
} 

elsif {$holabels {$port} ) { 
return $holabels { $port} ; 
} 

else { 

print ''Error] Can't understand a port name of $port\n" ; 

die ; 

} 

} 



# A function to parse the current ACL entry, and return an array 

# of values for SA, SA-MASK, DA, DA-MASK, PROTOCOL, DEST, PORT 

sub parse_current_line{ 
local ($line) = 
my ©aclarr; 
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©word = split '\$line); 
#getting protocol type 
while ( ($w = shift (©word) ) 
{$w [- /udp/) 
&& {$w !~ /tcp/) 
ScSc ($w !- /ip/) 
&& ($w !- /icmp/) 
&& ($w !~ /igrp/) 

($w !- /gre/) 
&& ($w !- /igmp/) 
ScSc ($w /nos/) 
($w !- /ospf/) 

) { 

}; 

$protocol = $hoprot{$w}; 



#getting source address 
$w = shift {@word) ; 

if {$w /host/) { #access-list 141 permit ip host 152.163.177.207 

$fullsa = shif t (@word) ; 
$fullsamask = ^^0.0.0.0"; 
} 

elsif ($w /any/) { #access-list 141 permit tcp any 
$fullsa = $w; 
} 

else { #access-list 14 L permit tcp 198.81.7,0 0.0.0.255 

$fullsa = $w; 

$fullsamask = shift {§word) ; 
} 

tgetting destination address 
$w = shif t (@word) ; 

if {$w =- /host/) { #access-list 141 permit ip host 152.163.177.207 

$fullda = shift (@word) ; 
$fulldamask = "0.0.0.0"; 
} 

elsif ($w =- /any/) { #access-list 141 permit tcp any 
$fullda = $w; 
} 

else { #access-list 141 permit tcp 198.81.7.0 0.0.0.255 

$fullda = $w; 

$fulldamask = shif t (©word) ; 
} 

#getting port info 
$ port type = " ; 
$startport = "any"; 
while ($w = shif t (©word) ) { 
if ($w =- /range/) { 

$porttype = $w; 

$w = shif t (©word) ; 

$startport = &calc_start_port ( $w) ; 

shift (©word) ; 

} 

elsif (($w =- /gt/) | ($w =~ /eg/) | ($w /It/)) { 
$porttype = $w; 
$w = shift (©word) ; 

$startport = &calc_start_port ( $w) ; 
} 

elsif ($w =- /established/ ) { 
$porttype ~ $w; 
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$startport = 1234; 
} 

else { 

$porttype = 'eq' ; 

$startport = &calc_start_port { $w) ; 
} 



{$sa[0] . $sa[l] , $sa[2] , $sa[3] ) = split(/\./, $fullsa) ; 

{$sainask[0] ,$samask[l] ,$samask[2] , $sainask[3] ) - split (/\./, $fullsamask) ; 
{$da[0] ,$da[l] .$da[2] ,$da[3] ) =split(/\./. $fullda) ; 

{$damask[0],$dainask[l],$damask[2],$damask[3]) = split(/\./. $ full damask ) ; 
if {$opt_v) { 

#not the best place to put this write, since $dongle hasn't been 

#define for the current ACL entry. 

write; 

} 

#Convert these fields to binary, pushing them LSB first, into an array. 

#Convert SA to binary. Use x's for any or for any bit that's masked 
for {$j = 3; $j >= 0; { 

@sabits = split (//,substr{ (unpack {"B*", pack{"n", $sa[£j]))), -8, 8)); 
@smbits = split(//,substr{ (unpack ("B*", pack{^^n", $samask [$ j ] ) ) } , -8, 8)); 
for ($i=7; $i>=0; $i--) { 

$bit = ($sinbits[$i] |t ($fullsa =~ /any/))? ^x' : $sabits[$i]; 

push{@aclarr, $bit) ; 

} 

} 

#Convert dA to binary. Use x's for any or for any bit that's masked 
for ($j =3; $j >= 0; $j--) { 

@dabits = split(//,substr( (unpack {^^B*", pack("n", $da[$j]))), -8, 8)); 
©dmbits ^ split (//,substr{ (unpack {^^B*", pack{^^n", $damask [ $ j ] ) ) ) , -8, 8)); 
for ($i=7; $i>=0; $i— ) { 

$bit = ($ditibits[$i] li ($fullda =~ /any/))? ^x' : $dabits[$i]; 

push (@aclarr , $bit) ; 

} 

} 

#Convert protocol to binary, 

@protbits = split(//,substr( (unpack ("B*" , pack("n", $protocol) ) ) , -8, 8)); 
for ($i-7; $i>=0; $i— ) { 

$bit = $protbits[$i] ; 

push(@aclarr, $bit) ; 

} 

#Convert port to binary. 

@portbits = split (//,substr( (unpack (^^B*'", pack(^^n", $startport) ) ) , -16, 16)); 
for ($i==15; $i>-8; $i--) { 

$bit = {$porttype =- /eq/) ? $portbits [$i] : ^x' ; 

push { @aclarr , $bit ) ; 

} 

for ($i=7; $i>=0; $i--) { 
$bit = $portbits I$i] ; 
push(@aclarr , $bit) ; 
} 
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return @aclarr; 
} 

# A function to convert from binary to decimal 
sub bintodec { 

unpack("N", pack{"B32", substr{"D" x 32 . shift, -32})); 

} 



Experiment #1 . Hashing on the 2nd octet of the destination address: 
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Maximum checks: 185, Minimum checks: 56 



Experinnent #2. Hashing on an 8bit combination of source address (4 bits of octet 2) and destination 
address (4 bits of octet 2): 

0:12 1:119 2:11 3:30 4:16 5:11 6:11 7:11 

8:11 9:11 10:11 11:14 12:11 13:11 14:11 15:11 

16:29 17:138 18:29 19:65 20:34 21:29 22:29 23:29 
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xu / . 


■ 1 A 
. X4t 


X u o . 
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ion. 


: 11 


19 1. 

iz 1 ; 


. 1 1 
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xz J , 
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126 : 


: 11 


127 ; 
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TOO, 
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XO X . 
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132 ; 
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133 : 
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lob: 


. 1 9 

; Iz 
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14b . 
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148 : 
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149 ; 
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150 : 
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151 : 
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152 ; 
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1d3 ; 
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: Iz 


1 c /I . 

1d4 ; 
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: 11 


X D 9 : 


■ 1 A 

, X'i 


X 9 o , 
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, X X 


1 S7 ■ 
X J / . 


: 11 


158 


: 11 


159 ; 


: 11 


160 : 
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161 ; 


. t 1 o 

: iiy 


Ibz ; 
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: 11 


1 bo : 


; o U 


1 P.A • 


. X o 


XD9 . 


• 1 1 

. X X 


X O D . 


: 11 
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: 11 


16 8 : 


: 11 


Iby ; 
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• 1 A 
, X'i 


1 99 ' 
X / Z . 
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. X X 


173 ; 


: 11 


174 : 


: 11 


175 : 
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17 6 : 


: 14 


177 ; 
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178 : 
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1 9 O . 

1 / y ; 
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, X y 
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183 
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lob : 
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1 O / . 
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189 : 


: 14 


19 0 : 
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191 : 
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iy4 : 
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1 Q R ■ 
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1 Q - 

xy b , 


. X '0 
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X J / . 


. X X 


198 : 


: 11 


199 


: 11 


200 : 


: 11 


9 n 1 . 
z Ul : 


. 1 1 

: 11 


9 n 9 . 
Z UZ : 


. 1 1 
: IX 


Z U J . 


' 1 A 


9 OA ' 


. 21 


205 : 


: 11 


206 


: 11 


207 : 


: 11 


208: 


:11 


209: 


:119 


210; 


:11 


211: 


:30 


212; 


:16 


213: 


:11 


214 


:11 


215: 


:11 


216: 


:11 


217 


:11 


218: 


:11 


219: 


:14 


220: 


:11 


221: 


:11 


222 


:11 


223 


:11 


224: 


:11 


225 


:119 


226 


:11 


227; 


:30 


228: 


:16 


229: 


:11 


230 


:11 


231: 


:11 


232 


:11 


233 


:11 


234 


:11 


235 


:14 


236: 


:11 


237: 


:11 


238 


:11 


239 


:11 


240 


:11 


241 


:119 


242 


:11 


243 


:30 


244: 


:16 


245: 


:11 


246 


;11 


247 


:11 


248 


:11 


249 


:11 


250 


:11 


251 


:14 


252: 


:11 


253 


:11 


254 


:11 


255 


:11 



Maximum checks: 221, Minimixm checks: 11 

Experiment #3: Hashing on an 8 bit combination of destination address (4 bits of octet 2) and 
destination port (lower 4 bitsV 



0: 


:4 


1: 


:54 


2: 


:4 


3 : 


;23 


4: 


;7 


5 : 


:4 


6: 


;4 


7: 


:4 


8; 


;5 


9: 


:4 


10: 


:4 


11: 


:4 


12: 


;4 


13: 


:4 


14: 


;4 


15: 


:4 


16; 


:4 


17: 


:61 


18: 


:4 


19: 


;9 


20: 


:6 


21: 


:4 


22: 


;4 


23 : 


:4 


24; 


:5 


25: 


:4 


26: 


:4 


27; 


;4 


28: 


;4 


29: 


:4 


30: 


:4 


31: 


:4 


32; 


:6 


33: 


:56 


34: 


:6 


35; 


ill 


36: 


;8 


37: 


:6 


38; 


;6 


39: 


:6 


40; 


:7 


41: 


:6 


42: 


:6 


43; 


:6 


44: 


;6 


45: 


;6 


46; 


;6 


47; 


:6 


48; 


:3 


49: 


:60 


50: 


:2 


51; 


:7 


52: 


;4 


53: 


;2 


54; 


:3 


55: 


:2 


56; 


:3 


57: 


:3 


58: 


:2 


59; 


:2 


60: 


;2 


61: 


;2 


62 : 


:2 


63: 


:2 


64: 


:2 


65: 


:51 


66: 


:2 


67; 


:7 


68; 


:4 


^ 69: 


:2 


70: 


:2 


71: 


;2 


72 : 


:3 


73 : 


:2 


74: 


:2 


75; 


:2 


76; 


:2 


77; 


;2 


78: 


:2 


79: 


:2 


80: 


:22 


81: 


:67 


82; 


:22 


83; 


:27 


84; 


:25 


85; 


:22 


86; 


:22 


87: 


:22 


88: 


:23 


89: 


:22 


90; 


:22 


91; 


:24 


92; 


:22 


93 : 


:22 


94; 


:22 


95: 


: 22 


96: 


:2 


97: 


:59 


98: 


;2 


99; 


:11 


100; 


:4 


101: 


;2 


102; 


:2 


103 : 


:2 


104; 


:4 


105: 


:2 


106; 


:2 


107; 


:2 


108: 


:2 


109; 


:2 


110: 


:2 


111: 


:2 
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:7 


113; 


:64 


114; 


:7 


115; 


:12 
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:10 


117: 


:7 


118: 


:7 


119: 


;7 


120; 


:8 


121: 


:7 


122; 


:1 


123; 


:7 


124: 


:7 


125; 


:7 


126: 


:7 


127 


:7 


128; 


:2 


129; 


:51 


130; 


:2 


131; 


:7 


132; 


:4 


133; 


:2 


134 


:2 


135 


:2 


136; 


:3 


137; 


:2 


138 


:2 


139 


:2 


140: 


:2 


141; 


:2 


142 


:2 


143 


:2 


144; 


:3 


145; 


:46 


146 


:3 


147 


:8 


148; 


:6 


149; 


:3 


150 


:3 


151 


:3 


152; 


:4 


153 


:3 


154 


:3 


155 


:3 


156: 


:3 


157; 


:3 


158 


:3 


159 


:3 


160: 


:16 


161 


:59 


162 


:16 


163 


:22 


164: 


:19 


165: 


:16 


166 


:16 


167 


:16 


168 


:17 


169 


:16 


170 


:16 


171 


:16 


172 


:16 


173: 


:16 


174 


:16 


175 


:16 


176 


:2 


177 


:51 


178 


:2 


179 


:10 


180 


:4 


181 


:2 


182 


:2 


183 


:2 
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:2 
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:2 


225: 


:58 


226: 


:2 


227: 


:7 


232: 


:3 


233: 


:2 


234: 


:2 


235: 


:2 


240: 


;8 


241: 


:72 


242: 


:8 


243 : 


:28 


248: 


:9 


249: 


:8 


250: 


:8 


251: 


:9 



Maximum checks: 72, Minimiam checks: 2 



1 ftp ■ 


. z 


1 ftQ • 


: 2 


19 0 : 


; 2 


191 ; 


: 2 


1 OS . 






. z 




. z 


-L -7 -7 . 


: 2 


zU4 : 


; z 


O fl - 

z u 3 ; 


: Z 


Z U o 1 


. Z 


Z U / , 


. z 


212: 


:4 


213: 


;2 


214: 
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:4 


229: 
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:2 
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:2 
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:2 


244: 
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:8 
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Appendix B Prefetch Packet Header Format 



31 29 27 25 23 21 19 17 15 13 11 09 07 05 03 01 
30 28 26 24 22 20 18 16 14 12 10 08 06 04 02 00 

BHDR: 8 x 4Bytes 

4_ + _ + _ + _+_4._ + _ + _ + _+ _ + _ + _+_ + _ + _ + _+_ + _ + _ + _+_ + _ + _ + _ + _ + _ + _ + _ + _ + + 

I NA I 0 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I NA I 1 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I NA I 2 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I NA I 3 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
1 NA I 4 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
|t| Input Info. I NA | length | 5 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I NA I 6 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ -+-+-+-+-+-+-+-+-+ 
I NA I 7 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

MAC header: 1 x 4Bytes 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I Address | Control | Protocol | 8 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

IP header: 5 x 4Bytes 

+ - + - + - + -+- + - + -+- + - + - + - + - + - + - + - + - + - + - + - + - + - + - + -+- + - + - + -+- + - + - + — h- + 
I Version I IHL | Type of Service] Total Length | 9 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I Identification | Flags | Fragment Offset | 10 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I Time to Live | Protocol | Header Checksum | 11 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+-+-+-+-+-+-+-+-+-+-+ 
I Source Address | 12 

I Destination Address | 13 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 

Payload: 2 x 4Bytes 

4._ + _4._+_ + _ + _ + + _ + _ + _ + _ + _ + _ + + _ + _ + _ +_ + _+ _ + _ + _ + _ + _ + _ + _ + _4._ + _+_ + 

I Source Port | Destination Port | 14 

+-+-+-+-+-+'+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
I Data I 15 

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 
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Please note the following allowed values for each of the 5 bit decodes: 



Table 5: A Summary of the selection choices for the ACL hash key 



Selection 
Bits 


KEY [7:6] 


KEY [5:4] 


KEY [3:2] 


KEY [1:0] 


00 


SA[7:6] 


SA[5:41 


SA[3:2] 


SA[1:0] 


01 


SA[15:14] 


SA[13:12] 


SA[11:101 


SA[9:81 


02 


SA[23:22] 


SA[21:20] 


SA[19:18] 


SA[17:16] 


03 


SA[31:30] 


SA[29:28] 


SA[27:26] 


SA[25:243 


04 


DA[7:6] 


DA[5:4] 


DA[3:2] 


DA[1:0] 


05 


DA[15:14] 


DA[13 :12] 


DAfllilO] 


DA [ 9 : 8 ] 


06 


DA[23:22] 


DA[21:20] 


DA[19:18] 


DA[17:16] 


07 


DA[31:30] 


DA[29:28] 


DA[27:26] 


DA[25:24] 


08 


SP[7:6] 


SP[5:4] 


SP[3 :2] 


SP[1:0] 


09 


SP[15:14] 


SP[13 :12] 


SP[11:10] 


SP[9:8] 


Oa 


DP[7:6] 


DP[5:4] 


DP[3:2] 


DP[1:0] 


Ob 


DP[15:14] 


DP[13:12] 


DP[11:10] 


DP[9:8] 


Oc 


PROT[7:6] 


PROT [5:4] 


PR0T[3:2] 


PROT [1:0] 


Od 


TOS[7:6] 


TOS[5:4] 


TOS[3 :23 


T0S[1 : OJ 


Oe 


SA[3:2] 


SA[1:0] 


SA[7:6] 


SA[5:4] 


Of 


SA[11:10] 


SA[9:8] 


SA[15:14] 


SA[13:123 


10 


SA[19:18] 


SA[17:16] 


SA[23:22] 


SA[21:20] 


11 


SA[27:26] 


SA[25:24] 


SA[31;30] 


SA[29:28] 


12 


DA[3:2] 


DA[1:01 


DA[7:6] 


DA [5: 4] 


13 


DA[11:10] 


DA[9:8] 


DA[15:14] 


DA[13:12] 


14 


DA[19:18] 


DA[17:16] 


DA[23:22] 


DA[21:20] 


15 


DA[27:26] 


DA[25:24] 


DA[31:30] 


DA[29:28] 


16 


SP[3:2] 


SPC1:0] 


SP[7:6] 


SP[5:4] 


17 


SP[11:10] 


SP[9:8] 


SP[15:14] 


SP[13:12] 


18 


DP[3 :2] 


DP[1:03 


DP[7:6] 


DP[5:4] 


19 


DP[11:10] 


DP[9:8] 


DP[15:14] 


DP[13:12] 


la 


PR0T[3:2] 


PROT[1:03 


PROT(7:6] 


PR0T[5:4] 


lb 


T0S[3:2] 


TOS[1:01 


TOS[7:6] 


TOS[5:4] 


Ic 


Reserved 


Reserved 


Reserved 


Reserved 


Id 


Reserved 


Reserved 


Reserved 


Reserved 


le 


Reserved 


Reserved 


Reserved 


Reserved 


If 


Reserved 


Reserved 


Reserved 


Reserved 



Suggested values for this register are: 

18_18_6_6 Key = {DP [3:2] , DP [1:0] , DA [19:18] , DA [17 : 16]} 
0e_18_6_6 Key^{SA[3:2] ,DP[1:0] ,DA[19:18] ,DA[17:16]} 
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